I just discovered the PIDA python IDE. It's really really nice...

What I love best with this IDE: It embeds VIM. The first IDE ever with a reasonable editor within! ;-)

You can use other "editors", too, of course. ;-)

Actually I didn't use much of the IDE features except the file list, which I could have obtained with dozens of VIM macros as well. And probably I'll continue to use plain VIM mostly. But it's nice to see this development.

Ich suche gerade eine neue WG in München... nervig, die Stadt ist einfach zu groß und es gibt zu wenig Zimmer zu einem guten Preis. Eines der größten Mankos von München als Universitätsstadt (bald nur noch getoppt von den Studiengebühren).

Ok, meine Anforderungen sind auch nicht einfach; ich interessiere mich eigentlich nur für gemischte Nichtraucher-WGs im Zentrum, Maxvorstadt, Haidhausen, Schwabing bis Olympiapark. Der Hauptgrund ist für mich aber schließlich auch, dass ich die Fahrtzeit minimiere, weil ich es einfach leid bin in der Woche 10 Stunden in der SBahn zu sitzen oder auf ebendiese zu warten.

Bisher haben mir alle WGs, die ich mir angeschaut habe, auch gut gefallen, nur haben die aus der Fülle von Interessenten halt jeweils jemand anderen ausgewählt... also Weitersuchen. *grummel*

(Und zu viel Zeit will ich ins Suchen ja auch nicht investieren, sonst lohnt es sich ja auch nicht mehr... Die div. Internet-Seiten waren übrigens keine große Hilfe, da sie die interessanten Informationen zum Teil gar nicht liefern - Rauchen z.B. wird nur als "erlaubt" oder "nicht erlaubt" abgefragt, aber nicht angegeben ob die Mitbewohner Nichtraucher sind, und schon gar kein Filtern darauf erlauben...)

My "test" boxes (well, they are in fact production systems) are now all up and running SELinux with a "strict" policy and in enforcing mode, after some weeks in "permissive" mode to detect the last missing policy rules (well, maybe I'm still missing something in cron.monthly?)

What took most of the time was in fact to write policy for some services or custom applications that didn't have one before. And that I basically was just checking the logs every day to see if some new audit errors had appeared. Oh, and inbetween we completely emptied the server racks and their wiring and redid the room...

Just to mention a few things that were "missing": My OpenVPN is running a custom script to update DNS on login and logout, which obviously was missing from the SELinux policy. I'm also using heartbeat to failover between the two firewalls and two mailservers; that policy took me probably one hour (without much previous experience) to write. Then I have another custom LDAP to aliases for a Lotus directory (which hopefully will be replaced by a sane application soon... whoever invented "implicite email adresses" should be shot. Just put all email adresses into the directory, so any app can look them up without trying to guess what your generation rules are... firstname.lastname@domain.tld sounds easy, but what with non-ascii characters?)

Anyway, the systems are doing pretty well. Maybe I'm going to enabled SELinux on the web server next. ( (cra-)PHP and typo3 will probably make that more difficult, though...)

Oh, and I need to sort out which of my policy changes are local changes, and which I should feed "upstream".

Die ganzen Mobilfunkgegner sollten sich auch mal für ein Rauchverbot in Bars, Kneipen und Gaststätten einsetzen. Raucher finde ich wesentlich unangenehmer als wenn jemand ein Handy benutzt. Denn während er sich selbst das Handy an den Kopf hält, bekommt man passiv auch ordentlich Rauch ab (in geschlossenen Räumen, draussen ists mir egal...).

Klar sollte man versuchen mit geringeren Feldstärken auszukommen, und "biologisch relevante" Frequenzen zu vermeiden; aber die größere Gefahr geht definitiv vom Rauchen aus, oder?

Und die Gesundheitsschäden durch Rauch sind wenigstens eindeutig bewiesen.

Selbst in Kalifornien und einigen anderen Bundesstaaten der USA - und immerhin kommt der Tabak aus Amerika - ist es verboten in Bars etc. zu Rauchen. Sehr angenehm. Insbesondere weil man die Kleidung nacher nicht "entsorgen" muss, wenn man mal abends weg war. Das würd ich mir für München wünschen. Hier rauchen so viele junge Menschen so viel, man kann echt nicht mehr weggehen.

Seit einiger Zeit haben wir DVB-T. Zwangsläfig. Seither nennen wir einen Radix DTR-9000 TWIN unser eigen. Leider.

Das ganze war eine Odysee - wir sind schon etwas weiter vom Sender weg, und unser Fernseher steht (weil wir ihn so wenig nutzen) im Keller. Die berühmte "Zimmerantenne" war also nie eine Option. Unser lokaler Elektriker hat da mal die Feldstärke gemessen, es dann aber auch nach einem Monat noch nicht geschafft gehabt, uns ein Angebot zu machen...

Also haben wir dann im Elektronikfachhandel den Receiver und eine aktive Antenne gekauft, und mit etwas Handarbeit diese an einer günstigen Position an der Regenrinne befestigt.

Selbst mit der aktiven Antenne treten immer wieder Dekodierungsfehler auf. Soviel zum Thema "DVB-T ist ja sooo toll, weil es digital ist". Mit unserer antiken analogen Antenne waren keine wahrnehmbaren Fehler beim ARD drin... (Und soo toll ist es jetzt auch nicht, jetzt Sat.1 empfangen zu können.)

Am meisten ärgere ich mich aber über den doofen Radix Receiver. Ich kann jetzt keinen anderen empfehlen, aber der DTR-9000 Twin von uns ist ziemlich bescheiden. Hier ein paar Kritikpunkte:

• Immer wieder (mehr als alle 100 Betriebsstunden) hängt sich der Receiver auf; dann steht meistens das Bild, der Ton rauchscht, und der Receiver lässt sich nicht mehr ausschalten.
• Die Menüs flackern beim "aufklappen" sehr unangenehm bei unserem 100 Hz-Fernseher
• Die Bedienung ist inkonsequent (Die "Hinauf"-Taste wechselt normal zum nächsten Kanal, nur in der Kanalübersicht zum vorherigen etc.)
• Over-the-Air Softwareupdates sind immer noch nicht verfügbar
• Updates via PC brauchen nicht nur ein Null-Modem-Kabel (PC-to-PC-Kabel) sondernzusätzlich noch einen Adapterstecker. Warum auch immer die nicht einfach den selben Stecker wie ein PC verwenden können...

My IBM Thinkpad A31ps main system battery is dead. It won't charge any more, instead the battery light starts flashing. The battery is over three years old, but should still have like half of its original capacity. This sucks.

My secondary battery, more useful than having two CD drives I never use, is also down to two thirds, giving me a battery run time of less than 90 minutes.

Also other stuff has started breaking, starting with an USB port being damaged, bluetooth that never worked etc. - and the laptop is out of warranty by now.

I really need to get myself a new laptop (and especially a lighter one), but I know I'll miss the great 135 dpi display my A31p had... :-( also the built-in prism2.5 11 mBit wireless is excellent, good range.

My favourites include the ThinkPad X-series, but there are other options which are less expensive... or at least somewhat nonstandard like the Samsung X1, which has impressive specs, too. Or of course an Apple.

Debian really needs something like this "Laptop Mission" Ubuntu had... some free laptops for developers if they help on making the distribution work out of the box on their model. I'd apply right away now. ;-)

Wikipedia wasn't really "new". Wikis have been around before. There were a dozen of encyclopedia attempts around (although maybe not using a wiki, and usually more focussed around a specific field of knowledge), there were huge collaboration applications.

I think that Wikipedia just offered the right options for the users at the very right moment, when this "revolution" - people not using the web as a way to 'download' content as much, but to actually publish their very own stuff, taking over content production - was just kicking off, without being too fragmented yet.

Today, you'll find dozen of "encyclopedias" for specific parts, who somewhat try to copy the success of Wikipedia, but which maybe was so successful because it didn't put up much restrictions on what it was to be used for...

As for the "not new" part - take for example a look at DMOZ.org, which is for example used by Google as datasource for Directory.google.com. This has been around for years (since 1995?), 5 Million verified Links in there, 70k editors just to verify and organize the links (many just taking care of a small part like the links for their home town), and everybody can submit new links. I started being an editor when it had around 2 Million links, and "timed out" due to inactivity when it reached 3 Million.

I have the impression (partially of course to the success of search robots like google, who have also "ruined" the directory business for e.g. Yahoo) that growth slowed down horribly the last years a lot. Although the level you could contribute wasn't that different from what e.g. Wikipedia offers.

On the one hand it's a shame that great projects like DMOZ get so little attention, but on the other hand e.g. Wikipedia is fantastic, and I'm happy that many people have realized that they can be an active part of the web, not just a content consumer. That there is more to the web than to share music and access pr0n^Wcommercial websites.

I've found a couple of issures with my SELinux backports. One is actually a bug present in sysvinit and cron (at least):

The debian/rules makefiles uses dpkg-architecture to detect a Linux system (as opposed to GNU hurd or FreeBSD or Solaris) since SELinux only works on Linux. This code queries the DEB_HOST_ARCH_OS variable via dpkg-architecture, but this variable isn't available on sarge (yet)...

When building with either my dpkg backport or by using code similar to the following:

dpkg-architecture -qDEB_HOST_ARCH_OS || dpkg-architecture -qDEB_HOST_GNU_SYSTEM

the packages will actually have SELinux support enabled.

I've already filed a bug against sysvinit, but should I also file bugs against logrotate and cron, who apparently use the same code to detect SELinux?

(openssh and coreutils have better fallback code than suggested above in place)

Here's an easy recipe to filter those annoying SSH scanners at your firewall:

iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --set --name SSH
#$iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
#       -m recent --update --seconds 60 --hitcount 5 --rttl \
#       --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

This configuration will allow up to 5 SSH connections in a 60 second timeframe. This will usually make SSH-scanners go away after their 5th retry, and seriously slow them down otherwise.

If you have users who "rightfully" need to do more SSH connections, make them use some VPN, a "safe" source-IP-range, whatever.

To protect your firewall host, use INPUT instead of FORWARD.

Note that you can also implement port-knocking with the recent match.

When I want to upload new packages to my sarge SELinux repository on alioth, it usually takes me around 10 tries. Something is seriously wrong with LDAP on that box - it just goes totally crazy. This almost unbearable... Maybe I should move the repository to people.debian.org instead?

I've been recently investigating a poorly maintained box (granted, it was just a workstation used for surfing the web) which was behaving oddly. In fact you could not longer login via SSH. I quickly noticed that there was a non-working sshd on it, in /usr/local/bin. So I thought - why would a badly maintained box have a non-standard SSH on it?

This made me very suspicious, so I immedeately ran chkrootkit. It didn't find anything except it told me that someone had tampered with the wtmp file. The "tampering dates" aligned with the creation times of the ssh. A quick "find" run came up with the tool to do so, too.

A quick check in the logfiles - which were fine, since they were not standard syslog, probably - showed that a SSH scanner had managed to login into an unprivileged account with a weak password, then used a kernel exploit from january to gain root privileges. Apparently he was unsatisfied with the sshd on the box, so he tried to put a different version on it, which, well, didn't work and he could no longer logon to the box himself.

A rootkit was apparently not yet installed (verified after a clean boot), he was just about to setup his own sshd... maybe he had noticed that the box was just a stupid surfing box and then didn't care enough to cover his tracks (or just shoot himself in the foot by breaking the sshd)

So if you are running boxes on the internet:

• Make sure you don't allow shell logins with weak passwords
• Have your system and kernel up to date (note: you need to reboot for activating a new kernel...)
• Don't run an sshd unless you really need to
• Maybe setup a recent-match filter to stop ssh scanners
• Scan your log files for unusual entries such as logins by users who shouldn't really exist in the first place... Use logcheck.
• Don't allow PHP scripts to run binaries on your system ...
• Or better, don't allow PHP at all

(PHP guys: yes, I know that there are some good PHP scripts. But there are tons of badly written ones, too... and PHP is a major intrusion vector, and the privilege escalation I've seen here would have worked just fine with a PHP installation not using safe mode and safe_mode_exec_dir)

A firewall I maintain at our university has been tracking ssh connections using the recent match for quite some time, and a nice side effect is that it reduces all their "spam" in your logs, too (in case you bother to read them. Do at least read the logcheck results!)

Social network services (Wikipedia) such as Friendster, Linkedin, OpenBC are one of the top "web 2.0" hypes. I'm very sceptical about them, because I don't see the real benefits for me. (I'm referring to the pure "keep contact with your schoolmates" thing, not stuff which does much more such as serious blogging - e.g. livejournal - or planets such as planet.debian)

The typical use case I've heard is much like "Imagine you have made a cool product, and want to sell it to some company. Now you can search for people at that company you know (or a friend of yours knows) and call them, this will help you get a feet in the door", as well as "you can use it for finding a job".

I think that's bullshit, and to a large extend because I'd neither be willing to update my information in these services all the time, nor would I be willing to help just everybody here - most likely I'd just delete and ignore the email, and be really annoyed by a call (I'm annoyed by calls anyway)...

It's not that I despise social networking per se. But I despise quantity instead of quality. I care a lot for my friends, and I'm in several groups grown around some technical issues; when someone is looking for a job I pay attention for suiteable offers around me; if someone needs something else I do try to help. But I'll only do that for people I'd really call friends.

If you just want a quantitative number, last I checked my ranking was #36 in the global PGP keyring, meaning I have the 36th shortest average distance worldwide to verify a cryptographical key. So what?

Of course I also tried one of the social networing services given above, joined a group for a university I was at. Even before the adminstrator of that group added me, I got an "invitation" by one "linkaholic". I rejected it, and even considered to report it as "spam" to the operator. I did indeed know that person, but all we had was a flamewar on a mailinglist, and I found him highly unsympatic. So why should I add him to my network? Where are the benefits for me (except that I'll maybe get an annoying call sometime in the future, when I could have forgotten about him)?

No, in my opinion this social networking hype is built entirely on a hype, basically saying "look how well-connected I am, everybody knows me, and I know everybody", even when these relationships are only present on the computer, without anything worth being called a "relationship" behind.

The flame-war I mentioned earlier was btw. on the topic of Resume/CV books. Which are even worse than this social networking thing, IMHO.

I have high respect for his writings, all I read were worth it.

He just wrote about Web 2.0, and I find this a very interesting read. I agree with him here, especially with the line "Web 2.0 means using the web the way it's meant to be used."

Ajax is not fundamentally new. It's just JavaScript. It's still slow, has sometimes usability problems, and often just doesn't work right... And Ajax certainly isn't worth to be called "Web 2.0"...

What has been reappearing this year are "third party hacks" on the net. That was also the biggest thing about Google Maps: the API - others could use it (for free) to make other cool stuff with it. This is part of what Graham calls "Democracy" and of what he calls "Don't maltreat users" (especially not "lead users" and developers if you want them to adopt your stuff!)

But basically I still don't think we're at anything fundamentally new here. The API stuff for example makes me think of OpenSource vs. Freeware... getting stuff for free is nice, but being able to modify it to exactly fit your needs is priceless. ;-)

Ok, time to dive into the kernel and find out what "execmem" exactly means:

 /*
  * We are making executable an anonymous mapping or a
  * private file mapping that will also be writable.
  * This has an additional check.
  */

Basically, this appears to be a mmap with PROT_EXEC and PROT_WRITE.

Now lets see if I can find where this is used in pthreads, and if I can just remove either PROT_EXEC or PROT_WRITE there...

Okay, most likely, this is the offending line:

nptl/allocatestack.c
static int allocate_stack (...
	mem = mmap (NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC,
		MAP_PRIVATE | MAP_ANONYMOUS | ARCH_MAP_FLAGS, -1, 0);

So pthreads stacks are executeable memory by default... but disabling that sounds risky to me... :-(

Thanks to whoever fixed (read: enhanced) the radeon driver or Scorched 3D.

With visible water the game is even more fun. ;-)

I've been trying to track down an annoying bug with SELinux these days.

The situation is as follows: when I'm running enforcing mode, binds' "host" command, "named" itself and "dig" won't work. They fail with an odd error message:

mem.c:653: INSIST(ctx->stats[size].gets > 0U) failed.

or with the latest bind backported to stable:

host: isc_taskmgr_create: no available threads

the SELinux audit error reported is denied { execmem } for pid=28566 comm="host" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process.

As far as I know, "execmem" means the process can do runtime code generation (i.e. make its own memory executable) - that is a privilege you don't want to give out lightly. But everybody should be able to use the "host" command... so the situation sucks.

Right now I guess that this is caused by pthreads, not bind itself.

Anyone some hints for me? Does this mean I have to build a customized libc to run stable with SELinux (or make huge modifications to the policy, to add a domain for "host" and exec permissions to every other domain that needs to be able to run "host"...)?

Dear Lazyweb,
Nothing is perfect, but on Linux you can at least improve it and tune it.

I just ran into memory problems on my development box - I had tons of applications open, and since this is a laptop I prefer to have swap disabled.

I then started to build bind9 for a sarge backport, which meant that a long sequence of C compiler processes were launched, each allocating some memory, working with it, terminating, next.

Being really at the limit of the available memory, the system became unresponsive - and that behavious is really bad... I thought that sooner or later it will really run out of memory, and decided to watch some TV in the meantime. One hour later when I returned, it was still torturing my HD and still unresponsive.

Apparently the compile process has been all the time just below the memory limit, causing the kernel to remove pages from memory and load them back from the disk later, which slowed everything down just horribly.

So now I'm searching for a way to prevent such situations. The traditional ulimit approach won't help - no single process was responsible for using all the memory, but each one had its reasonable share.

So dear lazyweb, is there a way to tell the kernel to reserve a share of the memory (lets say, 64 MB) for buffers and caches only? I can live with out-of-memory errors a bit early (and the just enable swap), but a massive slowdown as described above (where the kernel is apparently reading some data from the HD, then forgetting it again and replacing it with the next) must not happen that easily...

Right now I fear that you could bring down any Linux system easily with a "slow" forkbomb where each forked process allocates 100 MB and starts writing some random data to its memory, forking a new child every 50 MB or so. Neither the OOM killer, ulimit nor traditional forkbomb detectors will be able to counter that, since already a couple of processes will cause the system to become completely IO-bound. Oh, and I have no idea how Windows would react on that either. So don't assume any OS is better, just because I say Linux isn't doing perfectly well here.

If you have any tips for me, send me an email.

I've been preparing SELinux backports for Debian sarge today for a public release. I've been running them on a couple of servers for quite some time already, but I decided to fully document what I did as well as uploading them to a publicly accessible location:

Debian sarge SELinux backports

Note that you still need a policy (e.g. the selinux-policy-default package from unstable, a CVS checkout from the NSA repository on sourceforge or the new reference policy being heavily worked upon) as well as a SELinux capable kernel (e.g. the latest 2.6.14 packages from unstable)

Note that alioth is a rather "public" box, so if you don't trust it (or me) - grab the sources from a location you trust, grab the Debian .diff and mine and do an interdiff. The interdiff should be really easy to verify at least.

Also check out the Backporting HOWTO I wrote documenting my efforts.

I hope I'll be able to bring you detailed installation instructions sometime soon. Until then I can point you to some SElinux setup notes in the Debian wiki. My cron and init packages do have the "bad" stuff disabled when SElinux is enabled.

Nach aktuellen Meldungen entät der umstrittene "Rootkit"-Kopierschutz von Sony nicht nur erhebliche Hackerfunktionen und telefoniert nach hause, sondern enthält auch nicht unerheblich "gestohlenen" Programmcode.

Jon Lech Johansen, vor allem bekannt für das "knacken" der auf DVDs verwendeten CSS-Verschlüsselung, wird als einer der betroffenen Autoren zitiert, deren Quellcode illegalerweise beim erstellen der Software verwendet wurde. (Und, nein, es sind nicht die Rootkit-Funktionen, sondern es geht um eine Bibliothek zum Dekodieren von geschützter Musik aus Apples Musikshop)

Nicht nur dass Sony also die eigenen Kunden bespitzelt und "hackt", sie haben sich dazu auch noch schamlos am geistigen Eigentum anderer vergriffen!

Darf man jetzt wenigstens davon ausgehen, dass Sony den Einsatz von Software zum entschützen von DRM-geschützter Musik erlaubt, wenn sie schon selbst versuchen das auf allen Computern ihrer Kunden zu installieren?

A few days ago, I made it to place #10 on Google for a very generic term. With my "ancient" personal homepage. This made my page visitors skyrocket from around 800 to 1300 unique visitors a day (well, I only have a two day sample with the high value). Impressive. At the same time, the number of emails and comments in my guestbook has doubled, too.

My google pagerank is still just 5 for that page; my front page has 6. But the pagerank seems to be quite off often anyway...

Just today I received an offer of approx. $ 45 a month for a link banner on my page...

At the same time, I havn't really updated the page for more than 2 years. I've been thinking about a redesign for four years, and I still havn't come up with a design I'm really happy with... :-(

Numenorean

To which race of Middle Earth do you belong?
brought to you by Quizilla

... also known as "nothing and everything" or "average" - this is by far the most common result in this quiz (which btw. doesn't include orcish)

If you are a student of mathematics or computer science in München, visit Die-Informatiker.net or Die-Mathematiker.net, which are two pretty nice forums for our university. The latter is new, the first has been successful for several years now, and is officially "recognized". So you might even get answers from your TAs in there.

Schon seit ein paar Jahren gibts unter dem Begriff "Die Informatiker" in München ein Forum für das Informatik-Studium an der LMU München.

Dieses hat sich sehr schnell zu einer zentralen "Resource" der Informatik entwickelt, die viele klassische Aufgaben der Fachschaft übernommen hat - ohne dabei den den Fachschaften anhängenden Ruf zu "poltisch" zu sein zu haben. (und für die einen sind die Fachschaften total links, vom AntiFa-Referat werden sie dann mal wieder als Faschisten beleidigt, sehr zum leidwesen der "echten Linken" die es natürlich auch gibt...)

Seit neuestem gibt es jetzt auch Die Mathematiker - Schwesterseite, Nachwuchs, wie auch immer. ;-)

Von den findigen Informatikern wurde die Forensofware mit allerlei netten Funktionen aufgebohrt - inklusive Formelsatz mit LaTeX.

Some japanese companies have requested that the Linux kernel gets a "stable" (whatever) kernel interface for binary drivers.

The obvious reason is, that they want to be able to add (illegal!) closed source drivers to the linux kernel.

This is a bad idea for a couple of reasons, that have been discussed in a couple of places. Instead I want to show you a couple of examples to illustrate that.

First of all, let me name the binary, closed-source drivers of ATI and Nvidia. They totally suck. They are unreliable, cause system crashes, don't work with power management and so on. Is this the type of driver you want? Commercial driver development is not capable of supporting the development speed and models of opensource. Other examples to show you the problems with all the closed source stuff include many wireless access points such as the isl3893 platform or broadcoms AR7. They duefully released the kernel code they used and maybe some drivers, but even the kernel code they touched is broken to large extends (that's why Intersil/Conexant doesn't support https on their isl3893 accesspoints, because they broke their libc in a way they can't get SSL to work on it any more).

Now let me give you a good example: USB. There the interface to the hardware was openly and clearly specified, also for many many uses. The result is, that today basically any memory stick and digital camera adhers to this standard, and there is only one driver for it. Thats why they "just work".

So instead of requesting a binary driver API in the kernel, these japanese manufacturers should instead start an industry initiative just like USB to standardize on a common stable hardware interface so we don't need a different driver for every hardware. Our real problem is that no hardware is like the other, and nothing is properly documented. And hardware manufacturers earn their money with hardware and haven't got much expertise on software...

It took me hours to get FastCGI and Suexec working properly. I'm so annoyed by the horrible docs available for it only.

First I tried using fcgid (which at least is DFSG-free) but wasn't able to run moinmoin properly at all. So I gave up on that quickly.

So I ended up trying "non-free" libapache2-mod-fastcgi. Oh what a mess. Getting the non-suexec fastcgi working was easy. Now I tried to make it a bit more secure...

The "Documentation" claims that all you need to do is enable the SuExec Wrapper. So I configured a "FastCgiServer", set -user and -group appropriately, somehow found out that I need to chown the executeable and the dir containing the executeable accordingly, and that the user and group need to be higher than 100 - ok. (Although group www-data would have been okay, I guess). Reloaded apache. And the fastcgi process is started and running with the right userid.

By now I was using a mini test-fastcgi, which prints getuid() - and so I could see that despite my process runing as a different user, it still returned 33 (=www-data). Damn!

The reason I found out later after manually changing URIs to find the right docs etc. was that I need to enable mod_suexec, then add the SuexecUserGroup option to my vhost.

For incoming requests, FastCGI will check for a running fcgi server with the same path and the same user and group ids as the one you defined in the fastcgi config. Otherwise it will start a new dynamic server. And there is no "FastCgiUserGroup" option or something obvious to configure the user and group name for the cgi path - but you need to do that for mod_suexec.

Apache config is a PITA anyway. With its pseudo-XML syntax etc. - we really need to get rid of it sometime...

So here is a short howto for using suexec and mod_fastcgi on apache2:

• Install apache2 with suexec (should be included) and fastcgi.
• Name your FastCGI .fcgi, setup +ExecCGI and the fastcgi-script handler
• Test if your fastcgi runs as www-data user (i.e. non-suexec)
• Add a "FastCgiServer" statement to the fastcgi.conf with appropriate -user and -group statements, enable FastCgiWrapper
• chown the CGI and its parent directory to these ids, also consider setting the "immutable" flag on your cgi
• Enable mod_suexec by calling "a2enmod suexec"
• In your VHost, add a "SuExecUserGroup appruser apprgroup" statement matching the usernames you gave above.
• restart apache. You should now see your fcgi process running with the correct userid. Otherwise check suexec.log and apache error log
• Try to access a web page generated by the fastcgi, and make sure it didn't start another fastcgi daemon...

... gerade habe ich in einer Statistik gelesen, dass die Raucherquote bei Singles (zugegebener maßen nicht viel, aber trotzem) höher ist.

Ich finde sowieso den Gestank von (vor allem kaltem) Rauch einfach unsexy...