Forum OpenACS Development: Re: Reference Platforms and Supported Platforms

Collapse
Posted by Jerry Asher on
Echoing Vinod, given the limited flexibility of aolserver config files, I think it is a mistake to put them into /etc.

I place most aolserver things into ~/aol<version> and most openacs things into ~/openacs<version> and then I cons a new user for each aolserver/openacs installation.

Collapse
Posted by Joel Aufrecht on
If I understand, the security problem is that the user under which aolserver runs should not have write access to the binary. I'm uncomfortable with the "joeuser" setup because I don't think that accounts used for routine login should also be running services. I also don't think we should have any instance stuff in /home. What about this:
  • a dedicated, nologin user for each instance.
  • Each instance has a directory in /web/instance-name which is only readable by the user
  • All instance-specific config files, including (instance-name.tcl, ssl subdir (ssl instructions, including generating self-signed certs, are being integrated into the install doc, by the way), analog config, daemontools subdir), go in /web/instance-name/etc
?