Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK so I want to use php-opencloud and was quite chargined to find this in the install instructions:
Code:
You must install this library through Composer:
# Install Composer
curl -sS https://getcomposer.org/installer | php
# Require php-opencloud as a dependency
php composer.phar require rackspace/php-opencloud
Now I'm sure a lot of people are very excited by composer. I am not so excited.
Can anyone suggest a way that I might run these commands in a chroot jail or something so that I can truly understand what files are downloaded, what sites are accessed, what local files are changed, etc.?
Rants in favor of or against composer are also welcome.
Well, php is a src code language, so you could just download it ("installer") but not run it through php. Instead read the downloaded file ?
I started to. It's over 4000 lines. I thought it would be more efficient to try and run it in some kind of jail and see what files it actually downloads (or alters) rather than trying to speculate theoretically about its results.
As I originally posted, the installation instructions for php-opencloud on github say one MUST user composer:
Quote:
You must install this library through Composer
To install without composer is probably not especially difficult, but the composer.json file says there are a number of dependencies. I'm not sure if I can get away with just require or whether I need require-dev. I'm also not sure what the simple path names mean in there. For instance, what does guzzle/guzzle refer to? Are these github partial paths? Can anyone help me decipher this composer.json file?
I didn't like the idea of composer either, but have come to like it well enough.
It's easy to understand the allure. Getting dependencies in place is a chore. This makes it easier. HOWEVER, it seems abundantly clear that devs are all too willing to trust other convenient packages without making any attempt to check that those other packages are in fact trustworthy. For something like access to my rackspace cloud account, that is unacceptable. PHP-opencloud has my account credentials. Security is important.
Quote:
Originally Posted by ceyx
Install it to a VM, and toast it if you don't like what you see
This is more or less what I was getting at, but I still need the right commands to monitor exactly which files are changed. How do I know, for instance, that /etc/passwd hasn't been accessed or changed?
For specific files you are worried about you can take copies & either eyeball or run diff to check.
If you want to know about every file it changes, you'll have to read the code and/or ask the suppliers - do they have a community / support forum?
Maybe its in the FAQ?
Actually, something like tripwire (if its still around) or an equiv, although even then I'm not sure whether its practical to monitor EVERY file on your system.
Have you tried googling around about this tool generally to see if anyone has ever complained?
For specific files you are worried about you can take copies & either eyeball or run diff to check.
If you want to know about every file it changes, you'll have to read the code and/or ask the suppliers - do they have a community / support forum?
Maybe its in the FAQ?
Strictly speaking, this is not true. I vaguely recall a command that would let one monitor all file accesses/changes in a particular subdirectory but I can't seem to find it. I was hoping to use something like that in combination with a chroot jail or something to prevent composer from modifying or accessing any sensitive files.
Quote:
Originally Posted by chrism01
Actually, something like tripwire (if its still around) or an equiv, although even then I'm not sure whether its practical to monitor EVERY file on your system.
I don't think I need to continually monitor the system -- just long enough to run the composer install would be enough I think.
Quote:
Originally Posted by chrism01
Have you tried googling around about this tool generally to see if anyone has ever complained?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.