Re: [Monotone-devel] Google Summer of Code 2006

[Chad Walstrom]

Thank you, Ethan, for replying.  We are seeing eye to eye on this one.
OpenSSH has had nothing but problems with trying to debug and secure
the privileged separation code.  It has poor interaction with other
authentication systems, and has been all-around buggy.  Yet, like
Ethan stated, there are more eyes, and the CAN bulletins are generally
made AFTER a fix had been published: they're that fast. ;-)

Like Ethan, I also run my web server as an unprivileged user and don't
allow suexec.

Richard is right in that having a master process that runs as root to
which usher talks adds complexity (but not much).  It also insulates
the public interface from risky tasks, such as switching process
users.

Of course, you wouldn't need the master process if:
1. You never host local databases
2. You're OK with usher running multiple databases as a single user.
3. You manage (launch) the servers with some other system/setup

If you need the extra security of running servers as different users
(Savannah), then another management solution is necessary.  Running
thousands of servers all the time. (Ouch)  Implement some sort of
firewall port-knocking swatch launcher. (Icky.  Yes, I said, "Icky.")

The nice thing about having a master process is that it doesn't have
to be that complex.  Listen to a socket.  Receive a request from usher
for a local database.  Launch 'mtn -d DBPATH serve --bind 127.0.0.1
--port RANDPORT ...' as the appropriate user.  Give usher the port or
failure message.  usher than works as it normally does.  It just needs
a new target, a socket to the master process.

Anyway, it's a brain-storming feature request.  Not a high priority,
but if we want Monotone on Savannah, I'd hedge my bets that it would
be well-received by the Savannah admins. 
-- 
Chad Walstrom <address@hidden>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */