「ウェブアプリケーションパッケージガイドライン」の版間の差分

提供: ArchWiki
ナビゲーションに移動 検索に移動
1行目: 1行目:
{{Translateme|記事の追加と飜訳が必要です。}}
+
{{Translateme|飜訳が必要です。}}
 
[[Category:パッケージ開発]]
 
[[Category:パッケージ開発]]
 
[[en:Web application package guidelines]]
 
[[en:Web application package guidelines]]
  +
[[pt:Web application package guidelines]]
 
{{Package Guidelines}}
 
{{Package Guidelines}}
 
 
このページではウェブアプリケーションをパッケージ化する方法を説明します。
 
このページではウェブアプリケーションをパッケージ化する方法を説明します。
  +
== Separate user ==
  +
  +
For security reasons, every web application should be run as a separate (unprivileged) user (i.e. {{ic|''$pkgname''}}).
  +
  +
{{Note| Traditionally, many web applications were run as the {{ic|http}} user/group, which can be considered unsafe, as in such a scenario applications can read each other's files.}}
  +
  +
Refer to the {{man|8|systemd-sysusers}}, {{man|5|sysusers.d}}, {{man|8|systemd-tmpfiles}} and {{man|5|tmpfiles.d}} man pages for details on how to create users and deal with ownership of files and folders for that user in a package.
   
 
==ディレクトリ構造==
 
==ディレクトリ構造==
レイアウトの例:
 
   
  +
The layout follows the [[FHS]].
* {{Ic|/etc/webapps/''$pkgname''}}
 
  +
* {{Ic|/usr/share/webapps/''$pkgname''}}
 
  +
* {{ic|/usr/share/''$pkgname''}}: The application's ''data directory'' holds the files of the web application. Files are owned by {{ic|root}} and are therefore readonly to the application user and group {{ic|''$pkgname''}}.
  +
* {{ic|/etc/''$pkgname''}}: The ''configuration directory'' of the application holds configuration files for the application (symlinked to the ''data directory''). Files located here have to go to the [[PKGBUILD#backup|backup]] array and are owned by the user and group {{ic|''$pkgname''}}.
  +
  +
:{{Warning| Files potentially containing authentication information '''must be protected''' (i.e. not readable by any other user or group on the system, except {{ic|root}} and {{ic|''$pkgname''}})!}}
  +
  +
* {{ic|/run/''$pkgname''}}: The ''runtime directory'' of the application (owned by the user and group {{ic|''$pkgname''}}). It can be used for sockets (e.g. in setups facilitating [[UWSGI#Socket_activation|socket activation]]).
  +
:{{Note| According to the package guidelines on [[Arch_package_guidelines#Directories|directories]], {{ic|/run}} must not be contained in a package. Use [[tmpfiles]] to add the directory with matching permissions.}}
  +
  +
* {{ic|/var/cache/''$pkgname''}}: The ''cache directory'' of the application (owned by the user and group {{ic|''$pkgname''}}). It (or subfolders in it) is symlinked to the ''data directory'' for applications requiring writable cache directories.
  +
* {{ic|/var/lib/''$pkgname''}}: The ''persistent storage'' of the application (owned by the user and group {{ic|''$pkgname''}}). It (or subfolders in it) is symlinked to the ''data directory'' for applications requiring persistent storage directories.

2021年9月30日 (木) 15:33時点における版

この記事あるいはセクションは翻訳の途中です。

このページではウェブアプリケーションをパッケージ化する方法を説明します。

Separate user

For security reasons, every web application should be run as a separate (unprivileged) user (i.e. $pkgname).

ノート: Traditionally, many web applications were run as the http user/group, which can be considered unsafe, as in such a scenario applications can read each other's files.

Refer to the systemd-sysusers(8), sysusers.d(5), systemd-tmpfiles(8) and tmpfiles.d(5) man pages for details on how to create users and deal with ownership of files and folders for that user in a package.

ディレクトリ構造

The layout follows the FHS.

  • /usr/share/$pkgname: The application's data directory holds the files of the web application. Files are owned by root and are therefore readonly to the application user and group $pkgname.
  • /etc/$pkgname: The configuration directory of the application holds configuration files for the application (symlinked to the data directory). Files located here have to go to the backup array and are owned by the user and group $pkgname.
警告: Files potentially containing authentication information must be protected (i.e. not readable by any other user or group on the system, except root and $pkgname)!
  • /run/$pkgname: The runtime directory of the application (owned by the user and group $pkgname). It can be used for sockets (e.g. in setups facilitating socket activation).
ノート: According to the package guidelines on directories, /run must not be contained in a package. Use tmpfiles to add the directory with matching permissions.
  • /var/cache/$pkgname: The cache directory of the application (owned by the user and group $pkgname). It (or subfolders in it) is symlinked to the data directory for applications requiring writable cache directories.
  • /var/lib/$pkgname: The persistent storage of the application (owned by the user and group $pkgname). It (or subfolders in it) is symlinked to the data directory for applications requiring persistent storage directories.