https://bugzilla.redhat.com/show_bug.cgi?id=1203018 --- Comment #20 from Marcin Haba <marcin.haba@xxxxxxxxx> --- @Dominik, @Jonathan, Matthias: Thank you for all your advises and recommendations in this Baculum request. It is precious knowledge for me, specially as a beginner in RPM packaging. @Dominik Thanks for your correction English texts in Baculum package description. Thanks also for indicate me proper sections ordering. About Baculum working with Apache. It is good idea to have separate subpackages for Apache and Lighttpd. I will work on it and I try to find common way in Baculum to full support both web servers. Generally Baculum works with Apache fine, but in this usage is not possible to serve some Baculum functionalities (that I mentioned in "Comment 6"). If finding solution for full Apache support be impossible, then I modify Baculum code to hide these functionalities not supported in Apache environment and inform about this fact in message on Baculum interface. About SELinux compilation by Spec file. Thanks for show me proper sample, I will use it and I will add selinux-policy-devel to requirements. You said about unfettered access to web server users to bconsole with root privilages. Baculum does not provide sudoers.d definition for bconsole. Users have to choose in Baculum install wizard if they want to sudo or they want to not sudo. If sudo access checked, then user need to provide prepared sudoers.d file self. If sudo access not checked, then user need to make bconsole accessible also self. Both solutions have their disadventages. Sudo for lighttpd to execute bconole may sound OK specially that lighttpd user has default as shell: /sbin/nologin. However it is root access to bconsole so it may be not safe. Access without sudo also may sound OK, but customer need to provide way to read bconsole.conf file by web server user for execute bconsole. Steps to do by user after install Baculum are: 1) Choose in install wizard how Baculum should connect to bconsole 2) If connection using sudo then there is need provide sudoers.d 3) If connection using direct access (no sudo) then there is need to make available reading bconsole.conf file by web server user (for exec('/usr/sbin/bconsole -c /etc/bacula/....etc.) and change web server user shell. All above three points are to choose by user. There is at least a few additional barriers to force for get access to Baculum and then bconsole. 1) Access to Baculum is realized by web server HTTP Basic auth (no internal Bauclum login pages) 2) In Baculum is one admin role and can be a lot of normal users. All they have own HTTP Basic credentials. 3) Normal users have assigned dedicated restricted consoles access defined as Bacula Console ACL. It is restricted access from Bacula side (not Baculum side), for example user1 can check only Bacula status, user2 can only run specific one backup job. All these actions are done by Bacula administrator. 4) Baculum has defined possibility to execute only pre-defined commands in bconsole. (no pipes, injections, etc..). @Jonathan: Thanks for info about update Release tag. I will have it on mind for next Spec and SRPM. About symlinks, I will check what can I do with them. Maybe you are right about using them in %install way. I wll check it and I will add comments to Spec file. Using Makefile is really good idea. I will prepare this Makefile. Thank you for this your idea :) @Dominik, @Jonathan and Matthias: Thank you again for your help. With each your comment the Baculum becomes better :) I will back here with new Spec and SRPM when I have all changes ready. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review