We’re looking for projects interested in becoming early adopters for our newly-enhanced Project Web service. Â For years we’ve provided a general web hosting platform, called Project Web, to allow projects to host web pages, provide demos of their applications and deploy third-party web apps for use by their team. Â We’ve just finished a major reimplementation of this service, eliminating many of the limitations of our old service and moving to current versions of the components in the web stack (PHP 5.3, Python 2.6, etc.).
What is wrong with Project Web today?
Seasoned users of our Project Web service know the main limitation is in the security model. Â We’ve made use of mass VHOSTing support for sake of performance and flexibility, but that has meant all files had to be readable by the web server user. Â There were some alternate security models available in the form of Apache modules that made setuid/setgid calls before serving anything, but these had a lot of overhead, or were not compatible with mass VHOSTing.
What is changing with Project Web?
We’ve solved this vhosting and security model problem in a lightweight, well-performing way, and have released the result under Open Source license. Â Our solution is to make use of a FUSE filesystem which handles permissions grants based on database lookup and a set of rules (ignoring the permissions on the underlying filesystem), and a companion Apache module which passes information to the FUSE filesystem advising which project a specific Apache pid is serving. Â This allows a great deal of flexibility and covers traditional problem spots for secure vhosting: CGI scripts and mod_php. Â While still undergoing testing, we’ve made this code available at:Â http://sourceforge.net/projects/sourceforge/files/project-perms/
This approach to file permissions opens the door to a lot of enhancements to the Project Web service. Â We intend to permit outbound email access (via authenticated SMTP server, tied to a per-project password). Â Access logs will be available for the first time, with the last octet obfuscated for sake of privacy. Â And project data, including MySQL passwords stored on disk, can be visible solely to the project team and project’s web scripts.
How can you get this right away?
A few of our projects have been using our test servers over the past couple of months and we’re ready for broader deployment.  We’re now looking for more projects to aid in testing the revamped service before we completely replace the old project web infrastructure.  If you’re a project administrator interested in participating in this test cycle, please send us a note at sfnet_ops@geek.net and we’ll add you to our list.  If the testing goes well, we hope to roll out this service to everyone in a matter of weeks.
Comments welcome.
Sincerely,
Jacob Moorman, Wayne Davison, David Burley, Nathan Hruby, Chris Everest, and Chris Tsai,
the Geeknet Service Operations team.
sfnet_ops@geek.net