If I understand, the security problem is that the user under which aolserver runs should not have write access to the binary. I'm uncomfortable with the "joeuser" setup because I don't think that accounts used for routine login should also be running services. I also don't think we should have any instance stuff in /home. What about this:
- a dedicated, nologin user for each instance.
- Each instance has a directory in /web/instance-name which is only readable by the user
- All instance-specific config files, including (instance-name.tcl, ssl subdir (ssl instructions, including generating self-signed certs, are being integrated into the install doc, by the way), analog config, daemontools subdir), go in /web/instance-name/etc
?
