[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers



On Mon, Nov 09, 2009 at 03:55:58PM -0800, Russ Allbery wrote:
> sean finney <seanius@debian.org> writes:
> 
> > something that hasn't really been brought up (i mentioned it on the
> > non-webapps thread in -devel already) is that this makes packages
> > potentially opened in an unconfigured state.  unless you can ensure that
> > the system is only running on localhost, it has some significant
> > security implications.  personally i'd rather that /usr/lib/cgi-bin goes
> > the way of the dodo, and that packages are required to ship/generate
> > webserver config files if they want to function out of the box.
> 
> Wholeheartedly agreed, particularly if we can put a management system in
> place similar to the (really nice) Apache module management system that
> lets admins selectively enable specific applications, which installing
> everything into a default CGI-active directory doesn't permit as easily.

Not that I'm opposing to what you're saying but... every application in
the archive is configured during the installation process, possibly
asking debconf questions, providing defaults etc. After the installation
it should run in a mode that suites most use cases and is secure. We (or
at least I) always expected that.

Now with web applications, if I read you suggestions correctly, you want
to just throw the files in the system, leave it unconfigured without
meaningfull defaults, even leading to an unsecure state, and then blame
the web server for not securing the application?

Or am I misunderstanding you?
Hauke

Attachment: signature.asc
Description: Digital signature


Reply to: