[pkg-horde] Bug#726187: Bug#726187: Provice empty conf.php and conf.bak.php (writeable for ww-data)
Mathieu Parent
math.parent at gmail.com
Wed Oct 23 13:37:46 UTC 2013
2013/10/22 Mathieu Parent <math.parent at gmail.com>:
> Control: tag -1 + wontfix
>
> 2013/10/13 Mike Gabriel <mike.gabriel at das-netzwerkteam.de>:
>> Package: php-horde
>> Version: 5.1.4+debian0-1
>>
>> To allow editing the Horde configuration administratively, two files need to
>> be present in /etc/horde/horde.
>>
>> conf.php
>> conf.bak.php
>>
>> Both files have to be writable by user www-data.
>
> I don't want this because this is a security hole IMO.
>
> But, I welcome a patch to:
> - create those files owned by root
> - improve the documentation (README.Debian)
Thinking a bit more. I propose to not create those 2 empty files. And
to write a README.Debian file mentioning the three ways to configure
Horde:
- 1. Installaing a bundle [1] (php-horde-webmail or -groupware) and
running the included script (webmail-install or groupware-), or
- 2. configuring thru the web interface + download + chown root + chmod
- 3. creating those 2 files + chown ww-data + configuring thru the web interface
Mike, don't hesitate to directly commit to git.
[1]: http://packages.debian.org/sid/horde-bundle
Cheers,
--
Mathieu
More information about the pkg-horde-hackers
mailing list