Subject: apache2-suexec: Should not set document root to /var/www - violates the FHS Package: apache2-suexec Version: 2.2.14-2 Justification: Policy 9.1.1 Severity: serious
Hi, apache2-suexec is built with the following configure option: --with-suexec-docroot=/var/www This is not one of the /var directories in the File Hierarchy Standard and is under the control of the local administrator. Packages should not assume that it is the document root for a web server; it is very common for users to change the default document root and packages should not assume that users will keep any particular setting. Even http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl, which suggests /var/www should be used if **unavoidable**, states that this place can be a symlink to the location where the system administrator has put the real document root. If I am right, suexec doesn't allow symlinks for security reasons. Please also see the discussion at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553498 which explains why I open this bug. Cheers, Julien -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
