Re: about DSA-2452-1 apache2 -- insecure default configuration

To: debian-user@lists.debian.org
Subject: Re: about DSA-2452-1 apache2 -- insecure default configuration
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 23 Apr 2012 12:51:58 +0200
Message-id: <[🔎] 20120423105158.GB3827@xvii.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] jmrsan$o0u$9@dough.gmane.org>
References: <[🔎] 20120416122517.GA31718@xvii.vinc17.org> <[🔎] jmk2s4$h73$10@dough.gmane.org> <[🔎] 20120418162434.GP3827@xvii.vinc17.org> <[🔎] jmp9q7$kai$8@dough.gmane.org> <[🔎] 20120419235029.GA5679@xvii.vinc17.org> <[🔎] jmrsan$o0u$9@dough.gmane.org>

On 2012-04-20 14:37:11 +0000, Camaleón wrote:
> On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote:
> > On 2012-04-19 15:08:55 +0000, Camaleón wrote:
> >> >> I can be wrong but the bug seems aimed to correct the package which
> >> >> contains the file that enables the alias by default, hence the
> >> >> apache2 package.
> >> > 
> >> > But the user isn't necessarily the administrator. If the admin
> >> > installs mod_php, making the bug appear if the user has added a
> >> > symlink to /usr/share/doc, that's very bad.
> >> 
> >> Sure, but in such case the user (who is in charge of the "alias" for
> >> their domains) will have to manually make the required corrections and
> >> the same goes for the vhosts.
> > 
> > Except that if the user doesn't do this, the same security problem will
> > occur.
> 
> The user is the admin of his/her site and so the ultimate resposible for 
> his/her site security.

What do you mean by site security? AFAIK, the problem is a *host*
security problem.

> >> There are times when a global solution can't be applied and this seems
> >> to be one of that situations.
> > 
> > There is a better solution: to fix mod_php and mod_rivet.
> 
> What's the fix you propose? I mean, what's what you think is wrong in 
> these two packages? Fixing the sample scripts? Are these scripts poorly 
> written and exposing flaws?

Your last questions make no sense. The sample scripts are *not* in
these two packages, but under /usr/share/doc! So, there is nothing
to fix in the sample scripts themselves. The fix should be in the
two packages, which shouldn't execute scripts stored in a random
directory, i.e. the scripts in /usr/share/doc should just be seen
as text files. This should be a bit like CGI's: they are executed
only if the ExecCGI option has been set on the directory.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Camaleón <noelamac@gmail.com>

References:
- about DSA-2452-1 apache2 -- insecure default configuration
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Camaleón <noelamac@gmail.com>
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Camaleón <noelamac@gmail.com>
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: about DSA-2452-1 apache2 -- insecure default configuration
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: getent passwd doesn't show ldap user
Next by Date: Re: getent passwd doesn't show ldap user
Previous by thread: Re: about DSA-2452-1 apache2 -- insecure default configuration
Next by thread: Re: about DSA-2452-1 apache2 -- insecure default configuration
Index(es):
- Date
- Thread