Bug#555129: Should not set document root to /var/www - violates the FHS

[Stefan Fritsch <sf@sfritsch.de>]

severity 555129 wishlist
severity 553498 wishlist
thanks


On Sunday 08 November 2009, Julien Valroff wrote:
> This is not one of the /var directories in the File Hierarchy
> Standard and is under the control of the local administrator.

Manoj, both apache2-suexec and dspam-webfrontend are following the 
policy's recommendation. How can this be a serious bug?

> Even
>  http://www.debian.org/doc/debian-policy/ch-customized-programs.htm
> l#s-web-appl, which suggests /var/www should be used if
>  **unavoidable**, states that this place can be a symlink to the
>  location where the system administrator has put the real document
>  root. If I am right, suexec doesn't allow symlinks for security
>  reasons.

Suexec should work fine if /var/www itself is a symlink.

I completely agree that the current situation is not optimal. But I 
don't see a better choice for the suexec document root. Of course, any 
alternative must not introduce local privilege escalation 
vulnerabilities (like using "/" does).

Cheers,
Stefan