Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
Jan Hauke Rahm <jhr@debian.org> writes:
> On Mon, Nov 09, 2009 at 03:55:58PM -0800, Russ Allbery wrote:
>> sean finney <seanius@debian.org> writes:
>>> something that hasn't really been brought up (i mentioned it on the
>>> non-webapps thread in -devel already) is that this makes packages
>>> potentially opened in an unconfigured state. unless you can ensure
>>> that the system is only running on localhost, it has some significant
>>> security implications. personally i'd rather that /usr/lib/cgi-bin
>>> goes the way of the dodo, and that packages are required to
>>> ship/generate webserver config files if they want to function out of
>>> the box.
>> Wholeheartedly agreed, particularly if we can put a management system
>> in place similar to the (really nice) Apache module management system
>> that lets admins selectively enable specific applications, which
>> installing everything into a default CGI-active directory doesn't
>> permit as easily.
> Not that I'm opposing to what you're saying but... every application in
> the archive is configured during the installation process, possibly
> asking debconf questions, providing defaults etc. After the installation
> it should run in a mode that suites most use cases and is secure. We (or
> at least I) always expected that.
> Now with web applications, if I read you suggestions correctly, you want
> to just throw the files in the system, leave it unconfigured without
> meaningfull defaults, even leading to an unsecure state, and then blame
> the web server for not securing the application?
> Or am I misunderstanding you?
No, as Sean says, I would enable the /vendor path and all applications by
default. What I want is a management system wherein one can selectively
enable or disable applications and where one can change (as a system-wide
default) the default installation behavior of new applications to leave
them unconfigured.
That way, on my servers I can say to not configure applications by default
and have control over what I enable and how, but those who want installed
applications to just work can use the defaults and have them be enabled
automatically. I think that would mean everyone would get what they want.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to:
- References:
- Re: common, FHS-compliant, default document root for the various web servers
- From: Stefano Zacchiroli <zack@debian.org>
- Re: common, FHS-compliant, default document root for the various web servers
- From: Jan Hauke Rahm <jhr@debian.org>
- Re: common, FHS-compliant, default document root for the various web servers
- From: Stefano Zacchiroli <zack@debian.org>
- Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Jan Hauke Rahm <jhr@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Charles Plessy <plessy@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Stefano Zacchiroli <zack@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Charles Plessy <plessy@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Stefano Zacchiroli <zack@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: sean finney <seanius@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Russ Allbery <rra@debian.org>
- Re: Possible MBF wrt common, FHS-compliant, default document root for the various web servers
- From: Jan Hauke Rahm <jhr@debian.org>