On 2012-04-20 14:37:11 +0000, Camaleón wrote: > On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote: > > On 2012-04-19 15:08:55 +0000, Camaleón wrote: > >> >> I can be wrong but the bug seems aimed to correct the package which > >> >> contains the file that enables the alias by default, hence the > >> >> apache2 package. > >> > > >> > But the user isn't necessarily the administrator. If the admin > >> > installs mod_php, making the bug appear if the user has added a > >> > symlink to /usr/share/doc, that's very bad. > >> > >> Sure, but in such case the user (who is in charge of the "alias" for > >> their domains) will have to manually make the required corrections and > >> the same goes for the vhosts. > > > > Except that if the user doesn't do this, the same security problem will > > occur. > > The user is the admin of his/her site and so the ultimate resposible for > his/her site security.
What do you mean by site security? AFAIK, the problem is a *host* security problem. > >> There are times when a global solution can't be applied and this seems > >> to be one of that situations. > > > > There is a better solution: to fix mod_php and mod_rivet. > > What's the fix you propose? I mean, what's what you think is wrong in > these two packages? Fixing the sample scripts? Are these scripts poorly > written and exposing flaws? Your last questions make no sense. The sample scripts are *not* in these two packages, but under /usr/share/doc! So, there is nothing to fix in the sample scripts themselves. The fix should be in the two packages, which shouldn't execute scripts stored in a random directory, i.e. the scripts in /usr/share/doc should just be seen as text files. This should be a bit like CGI's: they are executed only if the ExecCGI option has been set on the directory. -- Vincent Lefèvre <[email protected]> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
