[Pkg-awstats-devel] Bug#257832: Bug#257832: Suggestion for moving awstats to apache2 as default config.

Jonas Smedegaard dr at jones.dk
Sat May 24 16:25:20 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, May 24, 2008 at 01:25:26PM +0200, Andreas Henriksson wrote:

>Awstats cronjob runs as www-data -> no read permission. :(

>I've commited the patch anyway, since pointing at non-existant logfiles 
>isn't any better then pointing at those you don't have permission to 
>read.

Hmm - actually it might be better to not change, then:

Both setups won't work as is.  But changing the configuration file on 
systems that works already will cause package update scripts to ask if 
you want to update configurations to the new default - which is of no 
benefit, only confusion.


>Running the cronjob as root

... is unacceptable IMO!

>Using debconf to ask the user and configure logfiles to be 
>world-readable could be an option,

Needs other changes too, like editing logrotate snippet which is owned 
by the apache package so illegal to touch by our package.  We can only 
instruct local admin to consider changing it.


>Adding an awstats user which is member of group adm seems best, but 
>I'll have to read up on exactly what being an adm member gives you 
>access to

Most logfiles.  Might make sense for a setup that only parses weblogs 
producing static files for the webserver to serve.  But I do not trust 
AWStats enough to allow web access to adm group by default!


>and I guess this would break the (default disabled?) config 
>option of being able to trigger an "update now" from the web.

If it isn't already disabled by default it really should be IMO:  Leave 
possible security problems to adventurous local admins!


>I guess we should ask the apache2 team what they think is the best way.

At debconf in Finland a few years ago we discussed some web apps policy.  
I don't know what happened since.  Try search at http://wiki.debian.org/


>OTOH, it might be better to just ship now. We're not worse off then
>before, and it would be nice to have that RC bug closed.

As I wrote above, we are actually slightly worse off than before: As is 
the change is only cosmetic, and the "cosmetic" question it raises when 
updating package on systems with locally edited config files is worse 
IMO.

I suggest rolling back the config change before releasing, postponing 
that change until it has some real use.


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIOEFwn7DbMsAkQLgRAkECAJsGElCaHpWhfV5H8pHBluwhsbn99wCgoAZ9
FE5gIKIJdzm+tH0TOIfv2GA=
=8RXB
-----END PGP SIGNATURE-----

More information about the Pkg-awstats-devel mailing list