Package: apache-common Version: 1.3.31-1 Priority: important Tags: security I cannot really understand why this is needed: $ ls -la /var/lib/apache/mod-bandwidth/ total 16 drwxrwxrwx 4 www-data www-data 4096 2003-10-20 21:53 . drwxr-xr-x 3 root root 4096 2003-10-20 21:53 .. drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 link drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 master README.mod_bandwidth just says: No documentation available! So, is there any reason why mod-bandwith files should be writable by all users? I'm tagging this security because directories writable by all users open up a can of worms (partition DoS attacks, symlink and hard link attacks) and administrators do not expect Debian packages to create those without a good enough reason. Also, directories writable by all users (such as /tmp/ or /var/tmp) should be created with the sticky bit. Regards Javier
Attachment:
signature.asc
Description: Digital signature