[pkg-lighttpd] Bug#600050: Bug#600050: /etc/lighttpd/conf-available/15-fastcgi-php.conf: fastcgi-php file missing a required directive

[Arno Töll]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07.04.2011 15:47, Olaf van der Spek wrote:
> How does my approach require someone to read the manual?

It doesn't. The fact, the problem exists is because people don't read
manuals :)

> How is a loaded but unconfigured module a security threat?

Well you don't know. Isn't that the reason why vulnerabilities do exist?
Note, I don't say it /is/ a threat, I say it /could/ be a threat. Think
of unwanted code execution by passing some obscure requests just because
the module hooks into the usual processing when enabled.

This may, or may not be feasible within the particular Lighttpd
implementation, that's not my point, see below.

> I'm not assuming it's used by everyone, but I am assuming it's used by
> a majority.

I say we should not enable a module that it not required to provide core
functionality. It is fine to load them if they are fundamentally
required. It is the responsibility of you, being a package maintainer to
make sure the out of box configuration is inherently safe (and sane),
i.e. it does not put up with unwanted (and unneeded) risks.

Alternatives would include to extract the FastCGI module (and
configuration) from the core package and enable it by a postinst hook
when installed. In that case one could assume, the user actually wants
FastCGI to be enabled, maybe even with a debconf hook, asking for which
script language interpreter the user wants to enable configuration (PHP,
Python, Perl, ...) although currently only a PHP ready configuration is
shipped and others might be a bit more complicated.

- -- 
with kind regards,
Arno Töll
GnuPG Key-ID: 0x8408D4C4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNncsfAAoJELBdpXvEXpo98ysP/18PPCcPQyj0dvHSk+DkO1+g
JfuYLoDwDpC2Z4ukKwDTItF0xRfCibE1VdV4YCKD04tYgJPssUa9GWycctfaHaJl
9qF4yWO5xdSNxpJ9+xuePIwhM1NyJvY4tNrt57kheaKYzAcN27n+o/yj0LBK7Hw5
tpW+Kdw8AowRcQBUCO/w7ksKCtDNwb1OnebFGPNikeUJs2SDjqpnqoNRTP/0ajOA
vpz3HE1ycUTeo7K63Xy5thnTOgVPgcQc/alfqa86LvattCk4IEylTRTkYnqJmvMY
fLhEIlov/0lLpF8cxtkzlgOkTegRvE0A+h10Fg9/tCADqOdBHdi6W0PPbtT8D86x
k/4Rl3kF/NusPMKBUSK+M9SsNynZ01GH5mRVQbwTeMAf2A8ItTpo29UA41lsZag+
IlYBkiiksa36UYS4vwuMA/Lc7BxkMp7nS/5sZDWCsnti3F0pKJwyxWbDsLDoL2aS
4ED8ewCljaFieA0XvJwyy5SkgtjB2rshEyG1KfLbQdGw4gCAHQnRAQGvuWIVkyY0
RqygeNolQucCX/9AMjJgrb5sVQE4/N5wU6bevKxMUyPVgTVh6QyUCF1mL0fOmGNn
Q6YmfOV8jWBHHI2hV+3SMngQnzsMI/z/+oSVrZCgiwneTTKJbYLdeds1/SF6tfHp
a1N3bL7Y6KwJDBgmzstt
=7sho
-----END PGP SIGNATURE-----