[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers



Jan Hauke Rahm <jhr@debian.org> writes:
> On Mon, Nov 09, 2009 at 03:55:58PM -0800, Russ Allbery wrote:
>> sean finney <seanius@debian.org> writes:

>>> something that hasn't really been brought up (i mentioned it on the
>>> non-webapps thread in -devel already) is that this makes packages
>>> potentially opened in an unconfigured state.  unless you can ensure
>>> that the system is only running on localhost, it has some significant
>>> security implications.  personally i'd rather that /usr/lib/cgi-bin
>>> goes the way of the dodo, and that packages are required to
>>> ship/generate webserver config files if they want to function out of
>>> the box.

>> Wholeheartedly agreed, particularly if we can put a management system
>> in place similar to the (really nice) Apache module management system
>> that lets admins selectively enable specific applications, which
>> installing everything into a default CGI-active directory doesn't
>> permit as easily.

> Not that I'm opposing to what you're saying but... every application in
> the archive is configured during the installation process, possibly
> asking debconf questions, providing defaults etc. After the installation
> it should run in a mode that suites most use cases and is secure. We (or
> at least I) always expected that.

> Now with web applications, if I read you suggestions correctly, you want
> to just throw the files in the system, leave it unconfigured without
> meaningfull defaults, even leading to an unsecure state, and then blame
> the web server for not securing the application?

> Or am I misunderstanding you?

No, as Sean says, I would enable the /vendor path and all applications by
default.  What I want is a management system wherein one can selectively
enable or disable applications and where one can change (as a system-wide
default) the default installation behavior of new applications to leave
them unconfigured.

That way, on my servers I can say to not configure applications by default
and have control over what I enable and how, but those who want installed
applications to just work can use the defaults and have them be enabled
automatically.  I think that would mean everyone would get what they want.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>


Reply to: