[Pkg-dspam-misc] Bug#553498: Bug#553498: dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others
Julien Valroff
julien at kirya.net
Sun Nov 1 08:15:58 UTC 2009
Le dimanche 01 novembre 2009 à 01:55 -0600, Manoj Srivastava a écrit :
> On Sun, Nov 01 2009, Julien Valroff wrote:
>
> > Hi Manoj,
> >
> > Le dimanche 01 novembre 2009 à 00:33 -0500, Manoj Srivastava a écrit :
> >> On Sat, Oct 31 2009, Julien Valroff wrote:
> >>
> >>
> >> > As dspam-webfrontend relies on apache2-suexec, which sets the document
> >> > root to /var/www/, I fear there is nothing we can do about this for
> >> > now.
> >>
> >> That is a serious bug in apache2-suexec, which is a blocking bug
> >> for you, yes.
> >
> > Would you please report this bug?
> >
> > Also see the following bug I had reported for this issue:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542950
> > I hady thought /srv/www was a good place to host web applications
> > data.
>
> Well, since I do not actually work with web applications
> currently, I am perhaps not the best person to file this bug.
>
> >
> >>
> >> > Furthermore, as per
> >> > http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl:
> >> > "If access to the web document root is unavoidable then use /var/www
> >> > as the Document Root."
> >>
> >> That is not yet policy, and is merely a draft proposal. You may
> >> not assume that /var/www is the document root under the official Debian
> >> policy and the FHS.
> >
> > A draft? I don't understand.
> > It is part of the Debian Policy 3.8.3, section 11.5, point 4
>
> Yes, you are correct. It is late at night here ...
>
> > If not, then it is a bug in debian-policy...
>
> I think that is the case. Policy should not recommend violating
> the FHS like this.
Then, what has priority? FHS or Debian Policy?
> >
> >> > I would hence think using /var/www for dspam-webfrontend is correct,
> >> > what do you think of it?
> >>
> >> I think it is a serious bug, and you may not be able to upload
> >> your package unless this is fixed.
> >
> > I understand. I wish I could address this issue myself.
>
> Well, I think the way forward would be to move the directory out
> of /var/www?
Not that easy: dspam-webfrontend does rely on apache2-suexec, which sets
the document root to /var/www
Apache suexec obviously doesn't follow symlinks.
apache2-suexec-custom allows to set ONE different document root. If it
is set to eg. /usr/share/dspam-webfrontend/ then the sysadmin cannot use
any other web application relying on suexec (and, as a side effect, it
would require she edits the suexec configuration file before being able
to use dspam-webfrontend).
I think the main issue is that FHS doesn't set any document root for web
applications data. That's why the Debian Policy agrees they are
installed in the historic /var/www directory "if unavoidable" (I would
tend to think this wording applies to dspam-webfrontend for now).
Cheers,
Julien
More information about the Pkg-dspam-misc
mailing list