[Pkg-nagios-devel] Bug#831787: Bug#831787: icingaweb2-common: please don't unconditionally re-add www-data to icingaweb2 on upgrades

[Christoph Anton Mitterer]

On Tue, 2016-07-19 at 15:08 +0200, Alexander Wirt wrote:
> What do you mean? It should be possible to do it only once on
> > installation? Or that it should be possible (for the "default"
> > mod_php
> > setup to access these files/passwords/etc.?
> The installation part.

Ah that's quite nice and helpful :-)

I could try[0] to craft a commit that does this if it helps you.


Perhaps including some addition to README.Debian which informs about
that www-data is added to the group, as well as why/when this is
needed?
Something like:
Permissions
***********
When the package is installed (not on upgrades) it will automatically
add the user www-data to the group icingaweb2.
This is to suit the setup-scenario in which e.g. the apache PHP SAPI
(libapache2-mod-php*) is used, which per default will run under the
webserver's context as user/group www-data.
If another SAPI is used or the webserver is running as a different
user/group, this should be removed and the respective users be added
to the group instead (for example cgi-suexec).
Notice: Every user added to this group will have obviously access to
files owned by the icingaweb2 group. These may typically contain
passwords to databases or SSH private keys used with Icinga Web 2.


I think such text would give proper explanation to those users who are
interested in it, and not causing harm to any others.


Cheers.


[0] Me admittedly not being a Debian packaging expert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20160719/5515d796/attachment.bin>