[Pkg-nagios-devel] Bug#831787: Bug#831787: icingaweb2-common: please don't unconditionally re-add www-data to icingaweb2 on upgrades
formorer at debian.org
Tue Jul 19 13:01:08 UTC 2016
On Tue, 19 Jul 2016, Christoph Anton Mitterer wrote:
> Package: icingaweb2-common
> Version: git master
> Severity: wishlist
> Tags: security
> I've seen that with commit a7f069b24a2da4bd48f60899b252dfb32079edc6
> the user www-data will be readded to the group icingaweb2
> on every package configure, which AFAIU also includes updates.
> Could you please either
> - don't do this at all (since it's be no means sure that www-data
> actually needs or should have access to icingaweb2 content)
As I already told you it is needed.
> - at least do it only once on the original installation?
> This would make leave the setup with the mod_php SAPI continue to
> work out of the box, while not interfering with the setups of
> people which deliberately choose to remove www-data from icingaweb2.
> This makes especially sense in order to not grant anything running in
> the webserver's context access to the whole Icinga Web 2 configuration
> which likely includes passwords to databases, or e.g. SSH keys.
That should be possible.
More information about the Pkg-nagios-devel