CAPITOLEFFECT

Heck yes. I now have this working on my test server with no issues. It’s beautiful. I’ll expand on this later but for now I’m going to get some muchly needed rest, knowing I have done something awesome.

In my quest to be better at this system administration stuff I have encountered the hurdle of serving files without compromising user security. Here are some quick thoughts on things I want to explore.

Problem
We don’t want users on the one server to browse into other user’s folders, nor do we wish to allow scripts to be run that can access other users folders. We do however want everyone to be able to browse whatever is available through their web browser.

Currently
At the moment I have a web server which serves all files through a single nginx instance. This is running on the user “www-data” which has to be able to at least read all the files under /home to be able to serve correctly. Our php-fpm setup is per-user. This means every user has their own worker pool so that scripts that are readable per user are all that can be run. This is somewhat useless at the moment though because all users can browse around the /home directories with impunity. That is the problem we wish to address, I do believe that php-fpm will restrain it’s activities to folders you set so we might be ok on that side of things but scripts could still be created to read files out from other places.

Idea
As nginx is a pretty lightweight application we could try making an nginx instance per-user. This would then allow files to be read by nginx (running as whatever user you set instead of the global www-data) and would let us lock down each /home folder for each user.

Plan
I need to test out whether this will work and if I can automate the setup process of this type of setup. It would be a pain to have to do it manually each time a new user was added or removed. The automation is by-the-by really, but it would save time in the long run. First I’ll see if my ideas are valid and a good option.

So I discovered that I could use pools to designate under which user a script should be run on a NGINX+PHP-FPM setup. This was actually incredibly easy to setup and was just a matter of creating a new pool section on the PHP-FPM configuration file and updating the NGINX site definitions.

This now let’s any script placed under a user’s folder to be run and managed by the user, previously scripts had to be changed to the general “www-data” user and group. Depending on your server setup this can be very advantageous. In my case I have multiple users using a single server and I want them to be somewhat autonomous.

The next step in my server administration journey is the art of configuring chroot or something similar to ensure users are somewhat jailed to their own space. It is not at all advantageous to allow your users to see into other user’s folders. As recently highlighted by Matt over on WordPress.org.

Once I have the chroot stuff complete I’ll post on how I set it all up including the PHP-FPM pools.

I’ve been making some changes around the place to my branch of the Melative UI. It’s coming along nicely so far, the big hurdle has been enforcing structure and human readable references across the board.

After stripping down a lot of the UI (in fact all JS and CSS was pulled) I’ve been working on the navigation of the site to get that all in order. The next step will be to work on the browsable areas (basically all the titles/media). Once I have that in hand I’ll tackle the functionality of melative such as the stream and logging experiences. Finally I’ll hit up all the settings and misc pages about the place.

Once that’s done it should be good to go but will need a code review by Ryan to reduce some of the gammy PHP calls I’ve put in. There has been a few things altered in the core to allow a simplified UI and in fact when I hit stuff up after the navigation there will be a lot of code changes to conform the calls I imagine.

So anyway, thought I’d give an update.

Looks like I’m pretty much done with the design, there are some minor tweaks I will implement on coding but otherwise I’m happy with how it looks. Hopefully I can get this coded up fairly quickly. The only question being what do I use as the base? I could use the WP3.0 default theme I guess but that won’t be out for a little bit.

I usually make use of an existing theme only because it has all the functions written out and what not. I could do it from scratch though I guess. I’ll code it up in plain html first then start converting the chunks over to PHP + WP.

This would be what the front page looks like.

This is how I would display single pages.

So the warranty for my iMac is out. By a little bit. Looks like the HDD has failed and unfortunately the HDD doesn’t come with a manufacturers warranty when it’s put inside an Apple computer. So it is I find myself browsing for instructions on how to replace the HDD and for which drive I should get. Currently the 320GB drive that is in the iMac doesn’t get used but for the price point I can get a 500GB drive that suits my needs perfectly and it comes with a manufacturers warranty.

http://www.datasquare.co.nz/index.php/default/western-digital-caviar-black-500gb-7200rpm-32mb-cache-sata.html

Looks like I’ll grab that drive and slide it on into the iMac. Also, who would have thunk that you use a suction cup to get into the iMac. Go figure.

http://helpmemartin.blogspot.com/2009/03/upgrade-replace-imac-hard-drive-2008.html

Well for starters this has been a pretty dull Summer. Because of the general lack of clear sky I have found myself more inclined to be inside and chilling out while doing something productive.  This has lead to the progression of a few of the projects I help out with.

This isn’t due to any major coding on my part  it’s mainly because me and Ryan have had the time to bounce ideas and do testing and things. Ryan is the main developer on these projects, he’s pretty awesome at it.

I was talking with Ryan the other day about the best way to make traction on projects, more specifically Melative. Ryan wants to get more focus so that development is more progressive I guess. We only covered it briefly but the idea was floated that Melative is an Open Resource.

The concept of an Open Resource I guess is, “a service/tool that provides a function that can change due to need”. That need could be defined by anyone who wanted to have input on the project. It also implies access is fairly open to individuals but that doesn’t mean access can’t be restricted.

If Melative is treated like an Open Resource then the focus shifts to trying to make the resource effective in management of information and in serving that information. Melative already has an API that allows it’s functionality to be called remotely. The focus perhaps needs to remain on how generally the information is best managed and called.

This is really separate from developing the UI to look pretty. The UI can follow good development that happens on the internals. The main parts to the service are really entering/editing content and pulling that content via API functions. The way the data is displayed on the Melative website is merely an example of how the content and function of the service can be used.

In saying that I recently posted a tidbit on the idea of Open Source UI and with Melative we now have this as a possibility. Ryan and I spent the afternoon smashing our heads against the wall trying to do things we assumed would be easy in Git. We were mistaken, however Ryan did get the whole shibang working. So basically there is a few of us who can now do as we please in regards to the UI.

This is pretty cool and as of yet I’m not quite sure where I’m heading. I think my first steps will be to just get all the code uniform and working consistently across browsers. I’m not exactly the worlds best designer so I’ll stick to making the code pretty until I can think of any innovations.

Anyway I think that I should go make dinner now. It’s been rad ladies.

I’ve been dabbling again. Not sure if this dabble will surface as a painting though. I’ll keep at it :)