Re: Bug 314808, /srv and webapps.

To: Kai Hendry <hendry@iki.fi>
Cc: debian-webapps@lists.debian.org
Subject: Re: Bug 314808, /srv and webapps.
From: sean finney <seanius@debian.org>
Date: Wed, 29 Jun 2005 00:32:03 -0400
Message-id: <[🔎] 20050629043203.GA16339@seanius.net>
In-reply-to: <[🔎] 20050629022535.GA7841@iki.fi>
References: <[🔎] 20050622131227.GW15147@mx0.halon.org.uk> <[🔎] 20050622235325.GB25739@iki.fi> <[🔎] 20050625233641.GA5160@seanius.net> <[🔎] 20050626081042.GB665@iki.fi> <[🔎] 20050626154319.GA14522@seanius.net> <[🔎] 20050628041949.GC4581@iki.fi> <[🔎] 20050628050725.GA1833@seanius.net> <[🔎] 20050628053805.GE4581@iki.fi> <[🔎] 20050628105810.GA1913@mx0.halon.org.uk> <[🔎] 20050629022535.GA7841@iki.fi>

hi kai,

On Wed, Jun 29, 2005 at 12:25:37PM +1000, Kai Hendry wrote:
> On Tue, Jun 28, 2005 at 11:58:10AM +0100, Neil McGovern wrote:
> > > PHP includes usually sit in the www accessible directory. This might be
> > > confusing.
> > They shouldn't, it's a security risk to have these things publically
> > accessable. Things which don't HAVE to be in the doc root, shoudn't be.
> > See http://lists.debian.org/debian-security/2005/04/msg00103.html
> 
> See http://lists.debian.org/debian-security/2005/04/msg00104.html
> And http://lists.debian.org/debian-security/2005/04/msg00111.html
> 
> I don't think it is such a big issue either. 

actually, you're misreading the first mail.  in the first mail, someone
was asking if moving includes out was cause for a DSA, which it
certainly isn't.  at the end of the mail, there's an example of exactly
why moving include files out of the document root is a good thing (a
security bug related to cross-site scripting using such include files).

this issue isn't a black and white issue, though, because what constitutes
a file and a library can be kind of vague at times.   it may be that we
back down from calling this a policy requirement but merely a 'best
practice'.

> It will require some magic/work to make Wordpress upstream code to look
> in the right place if I have to move includes/ to another directory.

it's not too hard for most php applications.  if a central config file
exists, you can patch in something like:

ini_set('include_path', 
        '/usr/share/wordpress/include:' .  ini_get('include_path'));

if not, you can do something similar in the apache.conf, using
php_value or php_auto_prepend to get such a thing in there.

> Data stores should be ideally maintained in the mysql-server. Else setup
> by the Web application IMO. Not by Debian scripts.

i think you misunderstood what i meant by the purpose of this directory.
rdbms data goes in the rdbms, outside of the scope of what we're
discussing.  however, there may exist other static data installed with
the package, such as xml definitions etc which would want to go into
somewhere under /usr/share/foo but not in the web root.  but i think
at this point you understand the general idea of freeing up
/usr/share/foo for other things by placing the webroot in a
subdirectory.

	sean

--

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug 314808, /srv and webapps.
  - From: Neil McGovern <neilm@debian.org>
- Re: Bug 314808, /srv and webapps.
  - From: Kai Hendry <hendry@iki.fi>
- Re: Bug 314808, /srv and webapps.
  - From: sean finney <seanius@debian.org>
- Re: Bug 314808, /srv and webapps.
  - From: Kai Hendry <hendry@iki.fi>
- Re: Bug 314808, /srv and webapps.
  - From: sean finney <seanius@debian.org>
- Re: Bug 314808, /srv and webapps.
  - From: Kai Hendry <hendry@iki.fi>
- Re: Bug 314808, /srv and webapps.
  - From: sean finney <seanius@debian.org>
- Re: Bug 314808, /srv and webapps.
  - From: Kai Hendry <hendry@iki.fi>
- Re: Bug 314808, /srv and webapps.
  - From: Neil McGovern <neilm@debian.org>
- Re: Bug 314808, /srv and webapps.
  - From: Kai Hendry <hendry@iki.fi>

Prev by Date: Re: suggestion for section 4.3
Next by Date: Re: /usr/lib/cgi-bin/
Previous by thread: Re: Bug 314808, /srv and webapps.
Next by thread: Re: Bug 314808, /srv and webapps.
Index(es):
- Date
- Thread