[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#485562: twiki: configure script access badly protected


Thanks for the suggestions for the templates, and your comments.

I propose a new version of the templates, in attachment, due to several
changes that I think were problematic. My explanations bellow on why.

I hope it's syntaxically correct, as I didn't test it in a new package.

Le vendredi 27 juin 2008 à 06:52 +0200, Christian Perrier a écrit :
> (Justin's mail was sent to dle only. It is quoted at the end of this answer)
> Quoting Justin B Rye (jbr@edlug.org.uk):
> > Christian Perrier wrote:
> > > OK, as there are templates changes, this is a good occasion to review
> > > the entire templates set for this package, as it doesn't follow the
> > > usual recommended writing style very well.
> > 
> > I'm a bit rusty on that style myself, but there are several places
> > where I'm not clear about the content.
> I included all of Justin's suggestions and then came up with the
> attached content.
> About "access" to the configure script and "run" the configure script
> I did choose "run".

OK for me (but I'm no maintainer ;).

> I think that the twiki/apacheUserCreationNote becomes useless now.
> It is needed by the following bit of code:
> # add info due to 3-4 bug reports
> db_input high twiki/apacheUserCreationNote || true
> This is clear and blatant debconf abuse, I'm afraid. Interrupting
> installs to give information that should be in README.Debian

On this one point I agree, if policy recommends not doing so. Still,
note that it is only "high" and not "critical" in the db_input, in
config... So may not interrupt in all cases ?

But :
>  and is
> anyway obsoleted by the bit of code that gives admin rights to
> ${configuser} makes this part irrelevant.


You're mistaken by having had a look at the packaging only without
knowledge of TWiki, I think. Both configuser and doing something else
manually may be required.

TWiki needs several administrative privileges for :

* configuration of the program's installation options, done through the
cgi-bin/twiki/configure script, which needed to be protected in the
apache configuration, hence the "configuser" handled by debconf (as a
fix of bug #485562).

* general management of users and groups, ACL to specific wiki pages,
and stuff, all relating to the wiki's internal users and groups, not
managed by apache.

Unless further configuration, the apache basicauth users and the wiki's
internal users (registration form, etc.) are different (even if using
somehow the same .htpasswd file).

The "apacheUserCreationNote" relates to the wiki's internal users which
need to be added to the wiki's group Main.TWikiAdminGroup, and not
apache's, actually, so the template name is confusing.

But asking the user to take care of this extra configuration step (after
install) is not in any way obsoleted by the configuser being added in
#485562's fix.

> I propose removing that debconf note (shortly said: mandatory debconf
> notes suck).

Hmmm... The fact that after initial install it may be safest to review
TWiki's internal privileges, and configure an admin user (member of
Main.TWikiAdminGroup is something, is something that users should be
warned of IMHO.
I can clearly see security implications, if users don't configure admin
users and groups, and see their wiki hijacked, and such (although not as
critical as if access to configure script is not protected)...

So I think that removing such a note may put the package's security at
stake... Maybe doing so in a NMU which already tries to address a
security issue and translations updates is not something wise (but I am
not maintainer, again ;)

So I suggest you should probably keep it in template, as is.

> Justin's mail:

My comments bellow, in addition to previous remarks :

> > Template: twiki/apacheUserCreationNote
> > Type: note
> > _Description: Admin User Registration configuration required
> >  After you have created yourself a user, edit the Main.TWikiAdminGroup
> >  to restrict Admin privileges to that user.
> What has "Registration" got to do with it?  And what's this about
> editing something (where?) to restrict the privileges? 

Users of TWiki are expected to know that TWiki's ACLs are managed by
editing the wiki's topics/pages... no external configuration for that.

>  That sounds
> as if _everyone_ has Admin privileges until then... 

Exactly : the first user to edit Main.TWikiAdminGroup and lock it for
others becomes administrator. He/she must have registered a wiki user in
a form and have logged-in with this user before doing so.

> oh, wait, is
> that bug #485562?  So is that going to be fixed or not?

No. That's something different. 

configure script is one step above all that, as it defines the
registration mechanism used, plugins installed, where files are stored,
commands, launched, i.e. all the unix + perl machinery : think sysadmin
vs data admin.

There may be things to "fix"  wrt the "open to all" nature of the wiki
right after install, but nothing of critical nature, considering the
nature of TWiki's security model, and which would be very hard to manage
through Debian package's scripts IMHO.

> > Template: twiki/configuser
> > Type: string
> > Default: configuser
> > _Description: User allowed to configure TWiki:
> >  Please enter the username allowed to access the configure script.
> >  .
> >  This user will be the only one allowed to access the configure script at
> >  ${site}/cgi-bin/configure.
> Is this the same as the "Admin User" named above?  (And shouldn't
> the default name be something more like "twikiadmin"?  But I'm
> wandering off-topic...) 

No... and the name is probably better as configuser, then, to avoid
confusion with TWikiAdmin(Group).

No other comments on the proposed rewrites, which look fine with me.

My proposed templates new version in attachment.

Best regards,
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
Template: twiki/defaultUrlHost
Type: string
Default: http://localhost/
_Description: URL of the server TWiki runs under:
 Please enter the web server URL (such as "http://www.example.org/";).
 Complete TWiki URLs will be constructed from this value plus the
 string "twiki/".

Template: twiki/wikiwebmaster
Type: string
Default: webmaster@localhost
_Description: Email address of the webmaster for this TWiki:
 Please enter the email address that will receive new user registration
 mail. This address will also be displayed in the "oops" page when errors

Template: twiki/samplefiles
Type: boolean
Default: true
_Description: Perform install of default wiki Topic Set?
 TWiki includes a complete "starter kit" which includes user
 registration pages, documentation, and tutorials.
 Accept this option unless you want to use an existing TWiki data set
 (for instance, one left over from a previous installation).
 If data/Main/WebHome.txt is present, the starter kit will not be
 unpacked. The starter kit files can be found in
 /usr/share/twiki/twiki-data.tar.gz (and twiki-pub.tar.gz) if you
 want to install it manually or compare the topics with the new

Template: twiki/apacheUserCreationNote
Type: note
_Description: Admin User Registration configuration required
 After you have created yourself a user, edit the Main.TWikiAdminGroup
 to restrict Admin privileges to that user.

Template: twiki/configuser
Type: string
Default: configuser
# Translators, do not translate "'configure'" script's name
_Description: Apache user allowed access to 'configure' script
 Please enter the username of the admin user who will be allowed to
 run the configure script at ${site}/cgi-bin/configure.

Template: twiki/configpassword
Type: password
# Translators, do not translate "site" and "configuser" in the variables
_Description: Password for ${configuser}:
 Please enter the password of the apache user who will be allowed to
 run the configure script at ${site}/cgi-bin/configure.

Template: twiki/configpassword_again
Type: password
_Description: Password confirmation:
 Please re-enter the same password, for verification.

Template: twiki/password_mismatch
Type: error
_Description: Password mismatch
 The passwords you entered didn't match. You will have to enter them again.

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

Reply to: