[pkg-horde] Bug#726187: Bug#726187: Bug#726187: Provice empty conf.php and conf.bak.php (writeable for ww-data)
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Fri Oct 25 07:24:28 UTC 2013
Hi Matthieu,
On Mi 23 Okt 2013 15:37:46 CEST, Mathieu Parent wrote:
> 2013/10/22 Mathieu Parent <math.parent at gmail.com>:
>> Control: tag -1 + wontfix
>>
>> 2013/10/13 Mike Gabriel <mike.gabriel at das-netzwerkteam.de>:
>>> Package: php-horde
>>> Version: 5.1.4+debian0-1
>>>
>>> To allow editing the Horde configuration administratively, two
>>> files need to
>>> be present in /etc/horde/horde.
>>>
>>> conf.php
>>> conf.bak.php
>>>
>>> Both files have to be writable by user www-data.
>>
>> I don't want this because this is a security hole IMO.
>>
>> But, I welcome a patch to:
>> - create those files owned by root
>> - improve the documentation (README.Debian)
>
> Thinking a bit more. I propose to not create those 2 empty files. And
> to write a README.Debian file mentioning the three ways to configure
> Horde:
> - 1. Installaing a bundle [1] (php-horde-webmail or -groupware) and
> running the included script (webmail-install or groupware-), or
Will these scripts then provide the empty conf.*php files?
> - 2. configuring thru the web interface + download + chown root + chmod
That is really awkward (copy+pasting conf files from the webbrowser to
the file system).
> - 3. creating those 2 files + chown ww-data + configuring thru the
> web interface
>
My favourite would be, to provide conf.php and conf.bak.php in the
webmail-/groupware-install scripts. Actually, we could add a query if
the admin wants to create those files or not.
What do you think?
> Mike, don't hesitate to directly commit to git.
I have just applied for membership in pkg-horde on Alioth.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20131025/f8bfacde/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20131025/f8bfacde/attachment.sig>
More information about the pkg-horde-hackers
mailing list