Mike O'Connor wrote: > Package: horde3 > Version: 3.0.5-1 > Severity: critical > Tags: security > Justification: root security hole > > In the README.Debian, in section 6. it is recommended that the end > user executes: > > chown root.www config/* > chmod 0440 config/* > > becuase the "Some of Horde's configuration files contain passwords which > local users could use to access your database". > > This is somehting that should be done by the maintainer scripts and not > left up to the end user to do.
Hi Mike, this is done for security reasons (don't let someone configure horde who points his / her browser to www.example.com/horde; this should only happen if YOU want this). Browse the BTS archiv of horde3, I think I've submitted something similar a few month ago. bye, Martin -- Powered by Debian GNU / Linux
signature.asc
Description: OpenPGP digital signature
