Christian Boltz wrote:
[...] - webapps that allow to update themself online (like wordpress - and no, I won't be surprised if I see a *shudder* from Ludwig because this requires write permissions for wwwrun on the whole webapp)
Yeah, I always need to have a sick bag handy when thinking about web apps ;-) As Ralph already wrote the update mechanism for an rpm package is installing an updated rpm package. If you don't like that then don't install the app as rpm in the first place. We don't let e.g. Firefox update itself per user either.
Things aren't as easy as you'd like them to be ;-) and you'll probably end up with lots of symlinks (depending on which webapp you package of course).
I guess some webapps are better and some are worse, depending who wrote it and for what purpose. I'm sure a well designed application would work both in the shared hosting scenario as well as in the system package mode with least privilege thinking and separation of data and configuration. It's just the same as with 'native' programs. Fortunately DOS style programs that want world writeable /opt/something directories or only work in $HOME are almost extinct.
If you want real-world examples which parts/directories need to be writeable, I can lookup the details in my apache AppArmor profile for (at least) Joomla, Typo3, S9Y and Mediawiki.
I'm not sure what the number of hits in the CVE database for those candidates tells us about them :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org