[Pkg-nagios-devel] Bug#831787: Bug#831787: icingaweb2-common: please don't unconditionally re-add www-data to icingaweb2 on upgrades

Alexander Wirt formorer at debian.org
Tue Jul 19 13:01:08 UTC 2016

On Tue, 19 Jul 2016, Christoph Anton Mitterer wrote:

> Package: icingaweb2-common
> Version: git master
> Severity: wishlist
> Tags: security
> Hi.
> I've seen that with commit a7f069b24a2da4bd48f60899b252dfb32079edc6
> the user www-data will be readded to the group icingaweb2
> on every package configure, which AFAIU also includes updates.
> Could you please either
> -  don't do this at all (since it's be no means sure that www-data
>    actually needs or should have access to icingaweb2 content)
As I already told you it is needed. 
> or
> - at least do it only once on the original installation?
>   This would make leave the setup with the mod_php SAPI continue to
>   work out of the box, while not interfering with the setups of
>   people which deliberately choose to remove www-data from icingaweb2.
>   This makes especially sense in order to not grant anything running in
>   the webserver's context access to the whole Icinga Web 2 configuration
>   which likely includes passwords to databases, or e.g. SSH keys.
That should be possible.


More information about the Pkg-nagios-devel mailing list