How to properly handle ACL for cgiwrap?

To: Debian Devel <debian-devel@lists.debian.org>
Subject: How to properly handle ACL for cgiwrap?
From: Pierre Machard <pmachard@debian.org>
Date: Wed, 26 May 2004 21:27:24 +0200
Message-id: <[🔎] 20040526192724.GC11395@bretagne.cn>
Mail-followup-to: Pierre Machard <pmachard@debian.org>, Debian Devel <debian-devel@lists.debian.org>

Hi,

I am maintaining cgiwrap (soft allowing ordinary users to run their  own
CGI scripts). I wonder about the  proper  way  to  handle  configuration
files.

cgiwrap uses two configuration files : cgiwrap.(allow|deny). I  consider
them as conffiles.

quoting from documentation: (http://cgiwrap.sf.net)

"Access Control Logic

    * Neither file exists - Configuration Error
    * User in both files - Access Denied
    * Allow exists and user not in file - Access Denied
    * Deny exists and user in file - Access Denied
    * Otherwise - Access Allowed

Basically, in order for a user to be allowed to execute scripts  through
cgiwrap: If the allow file exists, the user has to be in it. If the deny
file exists, the user can't be in it. "

I would like that cgiwrap work with ACL and that  by  default  any  user
could use it. I plan to use a debconf template for that. But  anyway  my
current question is not debconf.

For now, I wonder how I can deal with these  two  files  as  regard  to
#220437.

Quoting the bug-submitter:

"I wanted all users to be allowed access by default, so  I  removed  the
cgiwrap.allow file. Ages later (when I'd completely forgotten about  it)
a problem occurred because that cgiwrap.allow  file  had  been  replaced
during a routine upgrade [...] and by  default  all  users  were  denied
access."

A config a la xfree[1] seems pretty heavy in this situation.

Do you think I should hack on cgiwrap ? Do  other  packages,  using  the
same 'user policy' exist?

I don't know what to do exactly. I tried to figure out on the proper way
to deal with it for a long time now. (bug was sent in last november)

Some    developers    told    me    to    put     these     files     in
/usr/share/doc/cigwrap/example/ but it is not acceptable to  me  because
by default the package will not work unless the admin installs the files
by hand. On the other hand, the current configuration  is  quite  broken
too.


Thanks in advance,
[1]: §  How  do  the  XFree86   packages   manage   their   non-conffile
     configuration files like /etc/X11/X, /etc/X11/Xwrapper.config,  and
     /etc/X11/XF86Config-4?
     http://necrotic.deadbeast.net/xsf/XFree86/trunk/debian/local/FAQ
--
                                Pierre Machard
<pmachard@debian.org>                                 http://debian.org
GPG: 1024D/23706F87 : B906 A53F 84E0 49B6 6CF7 82C2 B3A0 2D66 2370 6F87

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#251078: ITP: kdc2tiff -- convert Kodac kdc files to jpeg or tiff
Next by Date: Re: Don't understand the trouble with firmware !
Previous by thread: Bug#251078: ITP: kdc2tiff -- convert Kodac kdc files to jpeg or tiff
Next by thread: New DFS image available
Index(es):
- Date
- Thread