On Thu, Nov 05, 2009 at 03:05:07PM +0100, Giacomo A. Catenazzi wrote: > Personally I would like to have a competently different approach: > > - web server ask where to put the root (probably proposing default > a /srv/www location). But not further assumption about the > location. > Admins, per FHS, could choose other paths. This is done in a few webapps right now. But we (as in maintainers) still need to provide a sane (FHS and policy comliant) default for non-interactive installations and even for users who have no clue about what they're doing and simply press enter. > This could be done by a new update-http-root application. > (and ev. could handle multiple vhost). > And possibly allowing no public location (thus forcing local only > connections): we tend to forget about this, but IMHO more and more > desktop computers are installed with webserver because of local > convenience. Thus we really need to securely support this common > cases. Well, if we go for a solution that implements vhosts (in case of apache and other web servers that even know about vhosts) we could include some command to bind the vhost to localhost. I'd be okay with it. If, however, we decide to have one debian specific DocRoot which all webapps whould use, then we don't have vhosts for all packages but one generic one. We can still have this per default bound to localhost but if one webapp is public, all are. > - No webapp are installed "live" by default: > > We have too much crap web application, and some/most of our users > don't realize that they are installing a public accessible crap. > [the desktop users] Isn't that what the topic was about? *confused* > Thus IMHO we need a "update-webappl" utility, which would > list, ask and ev. install the just installed webapplication. > > This is not so far as the installation of apache modules, which > ask for which apache (apache/apache2/apache2-ssl/...) to enable > modules. We just list the possible web root. > > Naturally admins can skip this point (e.g. not allowing debian > to handle webappl, but doing manually). > > Probably a webserver-specific support script will handle the > generation of symlink (default) or via configuration (webserver > specific) of the /usr/lib/cgi or /usr/share/* dir. What exactly should these scripts do then? > In short: > > - no hardcoded default root location (only a default value for a > real user question) As said above, we need a DocRoot that is FHS and policy compliant. If I understand you correctly you want a DocRoot for each and every webapp instead of one global DocRoot? > - not installing by default (without asking) web apps. You mean a debconf template that says: "I know you typed 'aptitude install webapp' but we're smarter than you are and thus not doing it unless you really want to and type 'yes' now." ? Remember Debian is not only about a secure system but also about a working system. Don't make life harder than necessary. I'd agree to binding to localhost, though. Hauke
Attachment:
signature.asc
Description: Digital signature