Bug#239364: This should get fixed.

To: 239364@bugs.debian.org, 152564@bugs.debian.org
Subject: Bug#239364: This should get fixed.
From: Nat Tuck <nat@ferrus.net>
Date: Tue, 27 Feb 2007 15:45:35 -0500
Message-id: <[🔎] 1172609135.22027.37.camel@trogdor>
Reply-to: Nat Tuck <nat@ferrus.net>, 239364@bugs.debian.org

Romain Francoise <rfrancoise@debian.org> said:
> Then you'll have to recompile suEXEC to suit your needs, Debian cannot
> support _every_ possible configuration and the default probably is the
> most reasonable one since most people will have CGIs in the docroot.

Wait... what?

Sure, Debian can't support *every* configuration, but what's wrong with 
supporting the default configuration that Debian ships with? (CGI
scripts - like php-cgi - in /usr/lib/cgi-bin)

Further, the situation where users have their files in the home
directories is pretty common. I'd go so far as to say that any other
layout is a contortion to work around this bug.

I can't come up with a single good reason for the suexec docroot to be
hard-coded to '/var/www' in Debian over a config file, or even hard coding
it to '/'. There's no obvious security advantage, in fact it forces people
to tamper with suexec themselves - which potentially introduces security 
problems. At very least, not being able to blindly install security updates
to 'apache-common' is a problem.

This bug has been submitted something like 5 times. Having CGI scripts run
as their owner is an important bit of functionality that should just work, 
but instead the user is forced to mess around with recompiling a basic 
package to get this functionality. Why not fix this?

Am I missing something? Is this just an issue with not wanting to diverge 
from upstream? What's the story here?

Reply to:

Prev by Date: Bug#357561: apache: Patch included in sarge?
Next by Date: Of jujube
Previous by thread: Bug#357561: apache: Patch included in sarge?
Next by thread: Of jujube
Index(es):
- Date
- Thread