Re: Bug#485562: twiki: configure script access badly protected
Le samedi 28 juin 2008 à 08:37 +0100, Justin B Rye a écrit :
> Olivier Berger wrote:
> > *Should be "apache" in all three.*
> > By "apache user", I mean something which relates to Require user in the
> > apache.conf section of the 'configure' script... of course, this assumes
> > that it's running apache and no other web server ;)
> > In any case, that's meant to differenciate from "TWiki users", which are
> > managed "inside twiki".
> I'm still not quite convinced by the expression "apache user", but I
> can't decide what alternative I'd suggest.
> The trouble with "apache user" is that it might mean the local
> system's www-data, or maybe the owner of the computer, rather than
> a browser-user authenticated via mod_auth_basic...
I agree it's ambiguous... but a default value is provided... and the
administrator of TWiki who installs it will only need to provide this
user again if/when he/she accesses the configure script's URL. At this
time, hope is he/she will have read the README.Debian, and will
understand better what that admin-user was... so we're reasonably safe
here... and even if www-data was provided here in place of the default
value, I guess it wouldn't hurt either.
I'm preparing addons to the README.Debian to clarify a bit all this
anyway, for the NMU.
Thanks for the comments.
Olivier BERGER <firstname.lastname@example.org>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)