From srivasta at debian.org Sun Nov 1 05:33:32 2009 From: srivasta at debian.org (Manoj Srivastava) Date: Sun, 01 Nov 2009 00:33:32 -0500 Subject: [Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others In-Reply-To: <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> (Julien Valroff's message of "Sat, 31 Oct 2009 21:39:59 +0100") References: <20091031191033.27970.52127.reportbug@anzu.internal.golden-gryphon.com> <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> Message-ID: <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> On Sat, Oct 31 2009, Julien Valroff wrote: > As dspam-webfrontend relies on apache2-suexec, which sets the document > root to /var/www/, I fear there is nothing we can do about this for > now. That is a serious bug in apache2-suexec, which is a blocking bug for you, yes. > Furthermore, as per > http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl: > "If access to the web document root is unavoidable then use /var/www > as the Document Root." That is not yet policy, and is merely a draft proposal. You may not assume that /var/www is the document root under the official Debian policy and the FHS. > I would hence think using /var/www for dspam-webfrontend is correct, > what do you think of it? I think it is a serious bug, and you may not be able to upload your package unless this is fixed. manoj -- "Spare no expense to save money on this one." Samuel Goldwyn Manoj Srivastava 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C From julien at kirya.net Sun Nov 1 07:27:09 2009 From: julien at kirya.net (Julien Valroff) Date: Sun, 01 Nov 2009 08:27:09 +0100 Subject: [Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others In-Reply-To: <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> References: <20091031191033.27970.52127.reportbug@anzu.internal.golden-gryphon.com> <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> Message-ID: <1257060429.14101.10.camel@athyr.kirya.net> Hi Manoj, Le dimanche 01 novembre 2009 ? 00:33 -0500, Manoj Srivastava a ?crit : > On Sat, Oct 31 2009, Julien Valroff wrote: > > > > As dspam-webfrontend relies on apache2-suexec, which sets the document > > root to /var/www/, I fear there is nothing we can do about this for > > now. > > That is a serious bug in apache2-suexec, which is a blocking bug > for you, yes. Would you please report this bug? Also see the following bug I had reported for this issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542950 I had wrongly thought /srv/www was a good place to host web applications data. > > > Furthermore, as per > > http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl: > > "If access to the web document root is unavoidable then use /var/www > > as the Document Root." > > That is not yet policy, and is merely a draft proposal. You may > not assume that /var/www is the document root under the official Debian > policy and the FHS. A draft? I don't understand. It is part of the Debian Policy 3.8.3, section 11.5, point 4 If not, then it is a bug in debian-policy... > > I would hence think using /var/www for dspam-webfrontend is correct, > > what do you think of it? > > I think it is a serious bug, and you may not be able to upload > your package unless this is fixed. I understand. I wish I could address this issue myself. Cheers, Julien From srivasta at debian.org Sun Nov 1 07:55:00 2009 From: srivasta at debian.org (Manoj Srivastava) Date: Sun, 01 Nov 2009 01:55:00 -0600 Subject: [Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others In-Reply-To: <1257060429.14101.10.camel@athyr.kirya.net> (Julien Valroff's message of "Sun, 01 Nov 2009 08:27:09 +0100") References: <20091031191033.27970.52127.reportbug@anzu.internal.golden-gryphon.com> <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> <1257060429.14101.10.camel@athyr.kirya.net> Message-ID: <87fx8ywugb.fsf@anzu.internal.golden-gryphon.com> On Sun, Nov 01 2009, Julien Valroff wrote: > Hi Manoj, > > Le dimanche 01 novembre 2009 ? 00:33 -0500, Manoj Srivastava a ?crit : >> On Sat, Oct 31 2009, Julien Valroff wrote: >> >> >> > As dspam-webfrontend relies on apache2-suexec, which sets the document >> > root to /var/www/, I fear there is nothing we can do about this for >> > now. >> >> That is a serious bug in apache2-suexec, which is a blocking bug >> for you, yes. > > Would you please report this bug? > > Also see the following bug I had reported for this issue: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542950 > I hady thought /srv/www was a good place to host web applications > data. Well, since I do not actually work with web applications currently, I am perhaps not the best person to file this bug. > >> >> > Furthermore, as per >> > http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl: >> > "If access to the web document root is unavoidable then use /var/www >> > as the Document Root." >> >> That is not yet policy, and is merely a draft proposal. You may >> not assume that /var/www is the document root under the official Debian >> policy and the FHS. > > A draft? I don't understand. > It is part of the Debian Policy 3.8.3, section 11.5, point 4 Yes, you are correct. It is late at night here ... > If not, then it is a bug in debian-policy... I think that is the case. Policy should not recommend violating the FHS like this. > >> > I would hence think using /var/www for dspam-webfrontend is correct, >> > what do you think of it? >> >> I think it is a serious bug, and you may not be able to upload >> your package unless this is fixed. > > I understand. I wish I could address this issue myself. Well, I think the way forward would be to move the directory out of /var/www? manoj -- #else /* !STDSTDIO */ /* The big, slow, and stupid way */ Larry Wall in #str.c from the perl source code Manoj Srivastava 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C From julien at kirya.net Sun Nov 1 08:15:58 2009 From: julien at kirya.net (Julien Valroff) Date: Sun, 01 Nov 2009 09:15:58 +0100 Subject: [Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others In-Reply-To: <87fx8ywugb.fsf@anzu.internal.golden-gryphon.com> References: <20091031191033.27970.52127.reportbug@anzu.internal.golden-gryphon.com> <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> <1257060429.14101.10.camel@athyr.kirya.net> <87fx8ywugb.fsf@anzu.internal.golden-gryphon.com> Message-ID: <1257063358.14101.20.camel@athyr.kirya.net> Le dimanche 01 novembre 2009 ? 01:55 -0600, Manoj Srivastava a ?crit : > On Sun, Nov 01 2009, Julien Valroff wrote: > > > Hi Manoj, > > > > Le dimanche 01 novembre 2009 ? 00:33 -0500, Manoj Srivastava a ?crit : > >> On Sat, Oct 31 2009, Julien Valroff wrote: > >> > >> > >> > As dspam-webfrontend relies on apache2-suexec, which sets the document > >> > root to /var/www/, I fear there is nothing we can do about this for > >> > now. > >> > >> That is a serious bug in apache2-suexec, which is a blocking bug > >> for you, yes. > > > > Would you please report this bug? > > > > Also see the following bug I had reported for this issue: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542950 > > I hady thought /srv/www was a good place to host web applications > > data. > > Well, since I do not actually work with web applications > currently, I am perhaps not the best person to file this bug. > > > > >> > >> > Furthermore, as per > >> > http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl: > >> > "If access to the web document root is unavoidable then use /var/www > >> > as the Document Root." > >> > >> That is not yet policy, and is merely a draft proposal. You may > >> not assume that /var/www is the document root under the official Debian > >> policy and the FHS. > > > > A draft? I don't understand. > > It is part of the Debian Policy 3.8.3, section 11.5, point 4 > > Yes, you are correct. It is late at night here ... > > > If not, then it is a bug in debian-policy... > > I think that is the case. Policy should not recommend violating > the FHS like this. Then, what has priority? FHS or Debian Policy? > > > >> > I would hence think using /var/www for dspam-webfrontend is correct, > >> > what do you think of it? > >> > >> I think it is a serious bug, and you may not be able to upload > >> your package unless this is fixed. > > > > I understand. I wish I could address this issue myself. > > Well, I think the way forward would be to move the directory out > of /var/www? Not that easy: dspam-webfrontend does rely on apache2-suexec, which sets the document root to /var/www Apache suexec obviously doesn't follow symlinks. apache2-suexec-custom allows to set ONE different document root. If it is set to eg. /usr/share/dspam-webfrontend/ then the sysadmin cannot use any other web application relying on suexec (and, as a side effect, it would require she edits the suexec configuration file before being able to use dspam-webfrontend). I think the main issue is that FHS doesn't set any document root for web applications data. That's why the Debian Policy agrees they are installed in the historic /var/www directory "if unavoidable" (I would tend to think this wording applies to dspam-webfrontend for now). Cheers, Julien From srivasta at debian.org Sun Nov 1 08:50:38 2009 From: srivasta at debian.org (Manoj Srivastava) Date: Sun, 01 Nov 2009 02:50:38 -0600 Subject: [Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others In-Reply-To: <1257063358.14101.20.camel@athyr.kirya.net> (Julien Valroff's message of "Sun, 01 Nov 2009 09:15:58 +0100") References: <20091031191033.27970.52127.reportbug@anzu.internal.golden-gryphon.com> <58ced7205d4773ede54b0cc5f69de1fd@kirya.net> <873a4yyfkj.fsf@anzu.internal.golden-gryphon.com> <1257060429.14101.10.camel@athyr.kirya.net> <87fx8ywugb.fsf@anzu.internal.golden-gryphon.com> <1257063358.14101.20.camel@athyr.kirya.net> Message-ID: <87zl76k4rl.fsf@anzu.internal.golden-gryphon.com> On Sun, Nov 01 2009, Julien Valroff wrote: >> >> I think it is a serious bug, and you may not be able to upload >> >> your package unless this is fixed. >> > >> > I understand. I wish I could address this issue myself. >> >> Well, I think the way forward would be to move the directory out >> of /var/www? > > Not that easy: dspam-webfrontend does rely on apache2-suexec, which sets > the document root to /var/www > Apache suexec obviously doesn't follow symlinks. So file a bug on apache2-suexec, since that seems to be the proximate cause of grief here. > I think the main issue is that FHS doesn't set any document root for web > applications data. That's why the Debian Policy agrees they are > installed in the historic /var/www directory "if unavoidable" (I would > tend to think this wording applies to dspam-webfrontend for now). I disagree. I think programs in Debian should not make such assumptions about document root; and policy should remove that sentence. We are most of the way to not having a hard coded document root, and I think that is where we should be going. manoj -- You know it's Monday when you wake up and it's Tuesday. Garfield Manoj Srivastava 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C From owner at bugs.debian.org Sun Nov 8 17:06:06 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sun, 08 Nov 2009 17:06:06 +0000 Subject: [Pkg-dspam-misc] Processed: block 553498 with 555129 In-Reply-To: <1257699792-2222-bts-julien@kirya.net> References: <1257699792-2222-bts-julien@kirya.net> Message-ID: Processing commands for control at bugs.debian.org: > block 553498 with 555129 Bug #553498 [dspam-webfrontend] dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others Was not blocked by any bugs. Added blocking bug(s) of 553498: 555129 > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) From owner at bugs.debian.org Sun Nov 8 17:42:06 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sun, 08 Nov 2009 17:42:06 +0000 Subject: [Pkg-dspam-misc] Processed: Re: Bug#555129: Should not set document root to /var/www - violates the FHS In-Reply-To: <200911081836.25362.sf@sfritsch.de> References: <200911081836.25362.sf@sfritsch.de> Message-ID: Processing commands for control at bugs.debian.org: > severity 555129 wishlist Bug #555129 [apache2-suexec] Should not set document root to /var/www - violates the FHS Severity set to 'wishlist' from 'serious' > severity 553498 wishlist Bug #553498 [dspam-webfrontend] dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others Severity set to 'wishlist' from 'serious' > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) From sf at sfritsch.de Sun Nov 8 17:36:25 2009 From: sf at sfritsch.de (Stefan Fritsch) Date: Sun, 8 Nov 2009 18:36:25 +0100 Subject: [Pkg-dspam-misc] Bug#553498: Bug#555129: Should not set document root to /var/www - violates the FHS In-Reply-To: <20091108165407.25563.20692.reportbug@athyr.kirya.net> References: <20091108165407.25563.20692.reportbug@athyr.kirya.net> Message-ID: <200911081836.25362.sf@sfritsch.de> severity 555129 wishlist severity 553498 wishlist thanks On Sunday 08 November 2009, Julien Valroff wrote: > This is not one of the /var directories in the File Hierarchy > Standard and is under the control of the local administrator. Manoj, both apache2-suexec and dspam-webfrontend are following the policy's recommendation. How can this be a serious bug? > Even > http://www.debian.org/doc/debian-policy/ch-customized-programs.htm > l#s-web-appl, which suggests /var/www should be used if > **unavoidable**, states that this place can be a symlink to the > location where the system administrator has put the real document > root. If I am right, suexec doesn't allow symlinks for security > reasons. Suexec should work fine if /var/www itself is a symlink. I completely agree that the current situation is not optimal. But I don't see a better choice for the suexec document root. Of course, any alternative must not introduce local privilege escalation vulnerabilities (like using "/" does). Cheers, Stefan From srivasta at debian.org Mon Nov 9 05:43:56 2009 From: srivasta at debian.org (Manoj Srivastava) Date: Sun, 08 Nov 2009 23:43:56 -0600 Subject: [Pkg-dspam-misc] Bug#553498: Bug#555129: Should not set document root to /var/www - violates the FHS In-Reply-To: <200911081836.25362.sf@sfritsch.de> (Stefan Fritsch's message of "Sun, 8 Nov 2009 18:36:25 +0100") References: <20091108165407.25563.20692.reportbug@athyr.kirya.net> <200911081836.25362.sf@sfritsch.de> Message-ID: <877hu0fe1v.fsf@anzu.internal.golden-gryphon.com> On Sun, Nov 08 2009, Stefan Fritsch wrote: > severity 555129 wishlist > severity 553498 wishlist > thanks > > On Sunday 08 November 2009, Julien Valroff wrote: >> This is not one of the /var directories in the File Hierarchy >> Standard and is under the control of the local administrator. > > Manoj, both apache2-suexec and dspam-webfrontend are following the > policy's recommendation. How can this be a serious bug? Because it violates the FHS -- and it would be at odds with the forthcoming web applications policy. Are you sure access to the document root is unavoidable? manoj -- Biz is better. Manoj Srivastava 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C From sf at sfritsch.de Tue Nov 10 12:13:45 2009 From: sf at sfritsch.de (Stefan Fritsch) Date: Tue, 10 Nov 2009 13:13:45 +0100 Subject: [Pkg-dspam-misc] Bug#553498: Bug#555129: Should not set document root to /var/www - violates the FHS In-Reply-To: <877hu0fe1v.fsf@anzu.internal.golden-gryphon.com> References: <20091108165407.25563.20692.reportbug@athyr.kirya.net> <200911081836.25362.sf@sfritsch.de> <877hu0fe1v.fsf@anzu.internal.golden-gryphon.com> Message-ID: <200911101313.45542.sf@sfritsch.de> On Monday 09 November 2009, Manoj Srivastava wrote: > Because it violates the FHS -- and it would be at odds with > the forthcoming web applications policy. Are you sure access to > the document root is unavoidable? > Well, it has the document root compiled in, allows only one document root, and doesn't follow symlinks to outside of the document root. That makes it pretty hard. Maybe it is possible to find a solution, but it is not obvious. And it would have to be checked for security issues. From owner at bugs.debian.org Sat Nov 28 19:03:19 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 28 Nov 2009 19:03:19 +0000 Subject: [Pkg-dspam-misc] Processed: tagging 517279 In-Reply-To: <20091128190101.CCEA4EACE5@intrepid.roeckx.be> References: <20091128190101.CCEA4EACE5@intrepid.roeckx.be> Message-ID: Processing commands for control at bugs.debian.org: > tags 517279 + sid squeeze Bug #517279 {Done: Clint Adams } [dspam] newer bdb version Added tag(s) squeeze and sid. > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) From owner at bugs.debian.org Sat Nov 28 19:03:22 2009 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Sat, 28 Nov 2009 19:03:22 +0000 Subject: [Pkg-dspam-misc] Processed: tagging 522645 In-Reply-To: <20091128190139.D4060EACE5@intrepid.roeckx.be> References: <20091128190139.D4060EACE5@intrepid.roeckx.be> Message-ID: Processing commands for control at bugs.debian.org: > tags 522645 + sid squeeze Bug #522645 {Done: Andreas Barth } [dspam] dspam: FTBS in a clean chroot due to not found libsqlite libs Bug #544152 {Done: Andreas Barth } [dspam] dspam FTBFS now Added tag(s) squeeze and sid. Added tag(s) squeeze and sid. > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)