[Secure-testing-team] Bug#831787: icingaweb2-common: please don't unconditionally re-add www-data to icingaweb2 on upgrades

Christoph Anton Mitterer calestyo at scientia.net
Tue Jul 19 12:52:25 UTC 2016


Package: icingaweb2-common
Version: git master
Severity: wishlist
Tags: security


Hi.

I've seen that with commit a7f069b24a2da4bd48f60899b252dfb32079edc6
the user www-data will be readded to the group icingaweb2
on every package configure, which AFAIU also includes updates.

Could you please either
-  don't do this at all (since it's be no means sure that www-data
   actually needs or should have access to icingaweb2 content)
or
- at least do it only once on the original installation?
  This would make leave the setup with the mod_php SAPI continue to
  work out of the box, while not interfering with the setups of
  people which deliberately choose to remove www-data from icingaweb2.
  This makes especially sense in order to not grant anything running in
  the webserver's context access to the whole Icinga Web 2 configuration
  which likely includes passwords to databases, or e.g. SSH keys.


Best wishes,
Chris.



More information about the Secure-testing-team mailing list