On Thursday 12 March 2015 10:45:59 Darac Marjal wrote:
> On Thu, Mar 12, 2015 at 09:07:12AM -0400, Gene Heskett wrote:
> > On Thursday 12 March 2015 08:44:40 David Guyot wrote:
> > > Hello.
> > >
> > > That's a good question you're asking here. I, too, think that an
> > > Apache update should correct this default parameter. Nevertheless,
> > > it's probably because it's just an Apache parameter, not an Apache
> > > fault as such, that this default config have not been changed; I
> > > would say this is not a priority for the Debian developers. The
> > > default Debian config is designed as a balance between safety and
> > > usability, not as a vault like OpenBSD: it will be safe in MOST
> > > situations, but not all of them. Besides, Debian being a general
> > > purpose distro, the developers are forced to make compromises on
> > > the default configuration to allow it to function relatively well
> > > in most cases. That's why it can include config choices which are
> > > not the best ones regarding security, but the best compromise
> > > between security and usability, and between the various use cases.
> > >
> > > Even if it is strongly recommended to disable SSLv3, for certain
> > > installations like the ones above, it is not necessary. Beyond
> > > that, even if the default Debian config is safe, it is relative:
> > > for example, its default OpenSSH server config allows root login
> > > and login using password, wich is not recommended at all if you
> > > want a truly secured system, which is the case of most users with
> > > a publicly reachable Apache server: those ones are supposed to
> > > take care of their Apache config, the default one being designed
> > > not only for a publicly available website, but also for internal
> > > sites, such as an intranet or a test server.
> > >
> > > Hoping that I'm right on my interpretation of this Apache update
> > > lack,
> >
> > Considering that I _am_ running an apache server here, AND it faces
> > the world, this lack of a fix for POODLE, seems to be a serious lack
> > on the part of the apache people for not pushing a fix, with lots of
> > noise, or if its available, a fairly serious screw you attitude on
> > the part of the debian folks in control of that. Strong language
> > maybe, but it needs to be said.
>
> Hang on. If you're aware of POODLE and you've not taken steps to
> mitigate it, aren't you the one at fault? I mean, yes, debian could
> put out a patch which changes the default settings but this probably
> won't affect vservers, or other configuration files stashed about the
> place.
>
> Perhaps people just need to be made more aware of robust SSL settings
> for apache: https://cipherli.st/
Going thru that sites list for apache, the last 3 items aren't valid for
a 2.2 installation, so I left them out.
Then restarted the server & went to check the errors log, finding that
I had insufficient perms set for several files visible as grabable stuff
in a couple of my /opt/this and /opt/that subdirs. I think I fixed those
with a sudo chown or chmod as required.
However the log now shows this error, labled crit. It may have been
there before. Yes, it was present when I rebooted Feb 27th.
[Thu Mar 12 13:32:11 2015] [error] (2)No such file or directory: Couldn't bind
unix domain socket /var/log/httpd/${APACHE_RUN_DIR}/cgisock.23366
[Thu Mar 12 13:32:11 2015] [notice] Apache/2.2.22 (Debian) configured --
resuming normal operations
[Thu Mar 12 13:32:11 2015] [info] Server built: Dec 27 2014 21:24:43
[Thu Mar 12 13:32:11 2015] [debug] worker.c(1757): AcceptMutex: sysvsem
(default: sysvsem)
[Thu Mar 12 13:32:11 2015] [crit] cgid daemon failed to initialize
I am not familiar enough with unix domain sockets to know how to fix
this. I am assuming that it is because there is not an ${APACHE_RUN_DIR}
defined according to a root env dump. But that probably was not the right
$USER, so where would this be defined and exported from?
Now, for the heck of it, I just toured my own site, at localhost:6309/gene,
and every link in it works.
I am tempted to take that back out of mods-enabled. Does anybody have a
good reason why I should not expunge that module?
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201503121607.36207.ghesk...@wdtv.com
