Bug#555129: Should not set document root to /var/www - violates the FHS
severity 555129 wishlist
severity 553498 wishlist
thanks
On Sunday 08 November 2009, Julien Valroff wrote:
> This is not one of the /var directories in the File Hierarchy
> Standard and is under the control of the local administrator.
Manoj, both apache2-suexec and dspam-webfrontend are following the
policy's recommendation. How can this be a serious bug?
> Even
> http://www.debian.org/doc/debian-policy/ch-customized-programs.htm
> l#s-web-appl, which suggests /var/www should be used if
> **unavoidable**, states that this place can be a symlink to the
> location where the system administrator has put the real document
> root. If I am right, suexec doesn't allow symlinks for security
> reasons.
Suexec should work fine if /var/www itself is a symlink.
I completely agree that the current situation is not optimal. But I
don't see a better choice for the suexec document root. Of course, any
alternative must not introduce local privilege escalation
vulnerabilities (like using "/" does).
Cheers,
Stefan
Reply to: