Hi Luigi, You've convinced me when you say it like that :-)
Let's close this bug and have a good weekend. Kyle :-) On Wednesday 28 November 2007 00:39:11 Luigi Gangitano wrote: > Hi Kyle, > let's make some analysis and maybe we'll agree on agreeing. :-) > > - Drupal has it's own view of virtual hosting (sites). Each site has > to be configured with files in different directives. If no site is > configured the default configuration applies to all sites. So you > don't really have all sites vulnerable with the default debian > install. You just have one site that is available on different virtual > hosts (www.foo.com/drupal5 is just the same as www.bar.com/drupal5). > There is no vulnerability multiplication. > > - Virtual hosting itself is not a secure way to separate 'data > domains'. Since all virtual hosts run in the same webserver process > with the same rights, exploiting an hole in one virtual hosts usually > leads to access all other virtual hosts. Obviously this is true only > for serious holes. Trivial holes like SQL injection only apply to the > single webapp database. See previous point for this: if drupal5 is > vulnerable to SQL injection the default debian install will only make > the single site vulnerable. On the other hand, if the vulnerability > leads to file system access or, worse, to arbitrary code execution > other virtual hosts will not be protected any way. > > So again this is, as usual, a compromise between security and ease-of- > use. I choose not to provide any third-party module for drupal in > debian package, avoiding security issues in those modules. At the same > time I choose to make it easy for unexperienced people to set up a > drupal site as experienced admins would always know how to trim access > down to their own needs. The same choice applies to many other > packages in debian (think phpmyadmin, phppgadmin, acidbase and any > package using wwwconfig-common). > > Hope I could make ti more clear to you. :-) > > Regards, > > L > > -- > Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]> > GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
