[Pkg-nagios-devel] Bug#830941: Bug#830941: icingaweb2: don't mangle around in the Apache configs

Mon Jul 18 08:00:05 UTC 2016

On 13.07.2016 05:28, Christoph Anton Mitterer wrote:
> The postinst of this package automatically enables some
> config snippets as well as some modules.
> 
> Please don't do that, not only has it the simple potential
> to break existing setups but also to introduce security holes.
> 
> 
> In general it's alrady a bad idea if an apache module package
> enables it's own module (i.e. a2enmod).
> It may not be configured, and depending on the layout of the
> apache configuration loading it in general may not be desired
> but e.g. rather for specific sites only.
> When some 3rd party package enables another module that's IMHO
> even worse.
> 
> mod_rewrite may easily introduce security issues or simply be
> undesired in some sites running on a node (and icingaweb2 may
> not be the only one).
> 
> 
> Similar, enabling /etc/apache2/conf-available/icingaweb2.conf
> shouldn't be done either.
> AFAICS, it's not even enforing SSL.
> It further cannot be assumed that the URL space / isn't already
> used somehow (e.g. via other generic rewritings) and it should
> be the user who decides whether he wants to make Icinga Web 2
> to /icingaweb2.
> 
> 
> 
> I think a good alternative would be simply to document in
> README.Debian wich modules are required and that there is
> an out-of-the box config snippet (icingaweb2.conf) which people
> could either use directly or integrate into their more powerful
> setup.
> Alternatively one could use debconf to at least ask whether
> that auto-configuration should be done.
> 
> I think that would be still easy for people to get it running
> while not possibly breaking more advanced setups or even
> automatically "starting" Icinga Web2 in a fashion that is not
> as tightly locked down as the site would want it.

I don't get your point here...

Its common practice in Debian to enable the daemon / configure the application, so it runs after installation.

Or at least gives you an easy way to let you set it up.

SSL is user choice and responsibility, there are hundreds of ways to configure it. (Redirect all, only some...)

The user has always the choice to change configuration afterwards, without the package to overwrite that.

Cheers
Markus Frosch
-- 
markus at lazyfrosch.de / lazyfrosch at debian.org
http://www.lazyfrosch.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160718/8eda7fac/attachment.sig>