Christoph Anton Mitterer schrieb am Wednesday, den 15. February 2012:
> Package: icinga-cgi
> Version: 1.6.1-2
> Severity: wishlist
>
>
> Hi.
>
> Icinga seems to have several user/groupnames hardcoded.
> --with-icinga-user=nagios
> --with-icinga-group=nagios
> --with-command-user=nagios
> --with-command-group=nagios
> --with-web-user=www-data
> --with-web-group=www-data
>
> (and yes I've know about dpkg-statoverride :-P)
>
>
> Some things I've noticed:
> a) Why are the icinga user/group and command user/group the same?
> Don't we miss privilege separation by this?
?
>
> I haven't checked yet whether this sets just some config defaults or not...
> have you an idea? I mean can it easily be changed?
> (Actually I must admit, that I don't know (yet) what the command user is used
> for).
?
Sorry, I don't understand what you want.
> b) web user / www-data
> While this is good for works-out-of-the-box(TM) it's bad for security
> (no privilege separation, which can be easily done by mod_suexec, or fastcgi).
> As far as I can see (tell me if I'm wrong) this is _ONLY_ used in:
> debian/rules: chgrp www-data ${b}/icinga-common/var/cache/icinga
> debian/rules: chown root:www-data ${b}/icinga-common/var/lib/icinga/rw
>
> So couldn't we make this configurable via debconf?! I.e. defaulting to
> www-data
> but giving the user the choice to use something different?
Nope. Running apache as anything else than www-data is not really supported.
This package is designed to work out of the box and not to do debconf
abusing.
Alex
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
