[Pkg-nagios-devel] Bug#830941: icingaweb2: don't mangle around in the Apache configs

Christoph Anton Mitterer calestyo at scientia.net
Wed Jul 13 03:28:08 UTC 2016 

Source: icingaweb2
Version: 2.3.4-1
Severity: normal
Tags: security


Hi.

The postinst of this package automatically enables some
config snippets as well as some modules.

Please don't do that, not only has it the simple potential
to break existing setups but also to introduce security holes.


In general it's alrady a bad idea if an apache module package
enables it's own module (i.e. a2enmod).
It may not be configured, and depending on the layout of the
apache configuration loading it in general may not be desired
but e.g. rather for specific sites only.
When some 3rd party package enables another module that's IMHO
even worse.

mod_rewrite may easily introduce security issues or simply be
undesired in some sites running on a node (and icingaweb2 may
not be the only one).


Similar, enabling /etc/apache2/conf-available/icingaweb2.conf
shouldn't be done either.
AFAICS, it's not even enforing SSL.
It further cannot be assumed that the URL space / isn't already
used somehow (e.g. via other generic rewritings) and it should
be the user who decides whether he wants to make Icinga Web 2
to /icingaweb2.



I think a good alternative would be simply to document in
README.Debian wich modules are required and that there is
an out-of-the box config snippet (icingaweb2.conf) which people
could either use directly or integrate into their more powerful
setup.
Alternatively one could use debconf to at least ask whether
that auto-configuration should be done.

I think that would be still easy for people to get it running
while not possibly breaking more advanced setups or even
automatically "starting" Icinga Web2 in a fashion that is not
as tightly locked down as the site would want it.


Cheers,
Chris.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-nagios-devel mailing list