Your message dated Mon, 13 Aug 2018 23:10:27 -0400
with message-id <20180814031027.GD11378@i5>
and subject line 573320-done
has caused the Debian Bug report #573320,
regarding lighttpd: Don't run Lighttpd as www-data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
573320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573320
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lighttpd
Version: 1.4.26-1
Severity: wishlist
Hi,
Would it be possible to start FastCGI processes via spawn-fcgi and to run
Lighttpd as another user than www-data (maybe user lighttpd)?
I think this improves security as FastCGI processes can no longer touch
Lighttpd (and it's log files).
Greetings,
Olaf
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.43-2 Extended attribute shared library
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libfam0 2.7.0-13.3+lenny1 Client library to control the FAM
ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
ii libpcre3 7.8-2+b1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8k-7 SSL shared libraries
ii libterm-readline-perl- 1.0302-1 Perl implementation of Readline li
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages lighttpd recommends:
ii spawn-fcgi 1.6.2-3 A fastcgi process spawner
Versions of packages lighttpd suggests:
ii apache2-utils 2.2.9-10+lenny6 utility programs for webservers
ii openssl 0.9.8g-15+lenny6 Secure Socket Layer (SSL) binary a
pn rrdtool <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Package: lighttpd
Tags: wontfix
Backend FastCGI servers could be started up by separate supervisors
and run as different users, all independently of lighttpd. lighttpd
can be configured to use those backends, even if lighttpd does not
start those backends.
The default user under which lighttpd starts is very unlikely to
change given the potential impact to existing users. There are simple
configuration changes that you can make to your lighttpd config if you
want to run different processes as different users, whether lighttpd,
or backends, or both.
The original reasons for filing this ticket includes:
"I think this improves security as FastCGI processes can no longer touch
Lighttpd (and it's log files)."
Related ticket:
lighttpd: /var/log/ligghtpd/*.log (sic) is readable by www-data
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406338
--- End Message ---
