[pkg-horde] Bug#726187: Bug#726187: Bug#726187: Provice empty conf.php and conf.bak.php (writeable for ww-data)

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri Oct 25 07:24:28 UTC 2013

Hi Matthieu,

On  Mi 23 Okt 2013 15:37:46 CEST, Mathieu Parent wrote:

> 2013/10/22 Mathieu Parent <math.parent at gmail.com>:
>> Control: tag -1 + wontfix
>> 2013/10/13 Mike Gabriel <mike.gabriel at das-netzwerkteam.de>:
>>> Package: php-horde
>>> Version: 5.1.4+debian0-1
>>> To allow editing the Horde configuration administratively, two  
>>> files need to
>>> be present in /etc/horde/horde.
>>>   conf.php
>>>   conf.bak.php
>>> Both files have to be writable by user www-data.
>> I don't want this because this is a security hole IMO.
>> But, I welcome a patch to:
>> - create those files owned by root
>> - improve the documentation (README.Debian)
> Thinking a bit more. I propose to not create those 2 empty files. And
> to write a README.Debian file mentioning the three ways to configure
> Horde:
> - 1. Installaing a bundle [1] (php-horde-webmail or -groupware) and
> running the included script (webmail-install or groupware-), or

Will these scripts then provide the empty conf.*php files?

> - 2. configuring thru the web interface +  download + chown root + chmod

That is really awkward (copy+pasting conf files from the webbrowser to  
the file system).

> - 3. creating those 2 files + chown ww-data + configuring thru the  
> web interface

My favourite would be, to provide conf.php and conf.bak.php in the  
webmail-/groupware-install scripts. Actually, we could add a query if  
the admin wants to create those files or not.

What do you think?

> Mike, don't hesitate to directly commit to git.

I have just applied for membership in pkg-horde on Alioth.



mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20131025/f8bfacde/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20131025/f8bfacde/attachment.sig>

More information about the pkg-horde-hackers mailing list