severity 555129 wishlist severity 553498 wishlist thanks
On Sunday 08 November 2009, Julien Valroff wrote: > This is not one of the /var directories in the File Hierarchy > Standard and is under the control of the local administrator. Manoj, both apache2-suexec and dspam-webfrontend are following the policy's recommendation. How can this be a serious bug? > Even > http://www.debian.org/doc/debian-policy/ch-customized-programs.htm > l#s-web-appl, which suggests /var/www should be used if > **unavoidable**, states that this place can be a symlink to the > location where the system administrator has put the real document > root. If I am right, suexec doesn't allow symlinks for security > reasons. Suexec should work fine if /var/www itself is a symlink. I completely agree that the current situation is not optimal. But I don't see a better choice for the suexec document root. Of course, any alternative must not introduce local privilege escalation vulnerabilities (like using "/" does). Cheers, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
