NFS and apache...

Christopher Hilton chris at vindaloo.com
Wed May 30 20:51:47 UTC 2007 

Erik Norgaard wrote:

>> How can i do this? I am trying but im getting permission denied...while
>> trying to create a file...
> 
> NFS is insecure (No File Security) since there is no authentication. You 
> get access with the user id of your current user.
> 

I didn't want to touch the security problems with this as I assumed that 
  the original poster knows about them. Just the same I'm assuming that 
webserver:/etc/exports has a line like:

     /usr/local/www/data/mysite -maproot=nobody:nogroup 192.168.233.17

which would tighten down the mount to just the one machine. As a 
developer, without even looking at security I think that direct access 
to the webroot tree is a bad idea. However I'm giving the original 
poster the benefit of the doubt. Perhaps he's just trying to learn HTML 
and PHP.

[snip]

> 
> One security measure is implemented though: root user on client is 
> treated as nobody on the server. There is an option you can add to the 
> exports file (forgot which), to override this see the exports manpage.
> 
>> Also if you have a different solution for updating the site..they are
>> welcome..
> 
> Unless you have problems with diskspace, why not just use rsync? Do it 
> manually and you get time to correct blunders before they become public, 
> or do it as a cronjob.
> 

rsync
scp,
dav,
*** cvs ***

When I work on a website I tend to start with the site directory in cvs 
to protect me from the damage caused by fat fingers. I'm an old C 
programmer and CVS and Make are tools that I'm used to so I usually add 
a really simple make file to the web tree...

***** Typical Makefile for web project *****
-- cut from here --

update:
	cvs -PAd .

MYWEBUSER = 	www
MYHOST =	webserver.example.com
MYWEBROOT =	/usr/local/www/data/webserver.example.com/

publish:
	rsync -auv ./ $(MYWEBUSER)@$(MYHOST):$(MYWEBROOT)

-- to here --

Then running:

      $ make update

on the webserver from within the webtree will refresh the site from the 
latest copy in CVS. In my opinion this is the best way because with a 
little CVS knowledge you can back out any mistakes. This is also nice 
since it only depends on the ability for both your development machine 
and webserver to be able to reach the cvs server. A final nicety is that 
there are CVS clients for FreeBSD, Windows, and Mac OS X. On the 
downside you do have to setup a cvs server.

Add a  little magic with ssh-keygen and the command:

      $ make publish

will push the current state of the web project, N.B. whatever it may be, 
onto the webserver. This is a lower overhead way of publishing that has 
the danger of no fallback position in case something is screwed up. 
Honestly I think that the publish tag is better used for testing than 
production but not every is willing to go to the overhead of using 
revision control (CVS, SVN, what have you) on this stuff.

-- Chris

-- 
       __o          "All I was doing was trying to get home from work."
     _`\<,_           -Rosa Parks
___(*)/_(*)___________________________________________________________
Christopher Sean Hilton                    <chris | at | vindaloo.com>
         pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14

More information about the freebsd-questions mailing list