Re: Bug 314808, /srv and webapps.
On Tue, Jun 28, 2005 at 11:58:10AM +0100, Neil McGovern wrote:
> > PHP includes usually sit in the www accessible directory. This might be
> > confusing.
> They shouldn't, it's a security risk to have these things publically
> accessable. Things which don't HAVE to be in the doc root, shoudn't be.
> See http://lists.debian.org/debian-security/2005/04/msg00103.html
See http://lists.debian.org/debian-security/2005/04/msg00104.html
And http://lists.debian.org/debian-security/2005/04/msg00111.html
I don't think it is such a big issue either.
It will require some magic/work to make Wordpress upstream code to look
in the right place if I have to move includes/ to another directory.
> > > /usr/share/foo/scripts <- other helper scripts that don't belong in /usr/bin
> > Do you have an example? I keep "dodgy" scripts in
> > /usr/share/doc/foo/example
> /usr/share/foo/scripts shouldn't be used for 'dodgy' scripts. You're
> right to place them in /usr/share/doc/foo/example
> However, somthing that performs maintainace (for example) could live in
> /usr/share/foo/scripts
Ok, that's sensible. Though upstream should do that already. Getting
people to look in scripts/ will quickly catch on mind.
> > > /usr/share/foo/data <- other non web data, like xml or text files
> > A data store off /usr/share/foo/ ? Sounds strange.
> Yup, but that's because we're used to using /usr/share/foo/.
> We're trying to split up /usr/share/foo/ into sub directrories to make
> everything more sane.
Understood. It's that I am a little worried about getting at least the
package package to conform esp. regarding includes.
I do not abject necessarily either to /www. I just wish permissions or
something could be used instead.
> > And should the Debian package maintain it directly?
> I'm not really sure what you mean here.
Data stores should be ideally maintained in the mysql-server. Else setup
by the Web application IMO. Not by Debian scripts.
> For info, the (normally) latest release of the WebApps policy can be
> found at http://people.debian.org/~neilm/webapps-policy/
This doesn't seem upto date with that cvs 4.3 stuff in a recent mailing list
post:
http://lists.debian.org/debian-webapps/2005/06/msg00065.html
Reply to: