ok, following the url..
Nico, you seem to me to be incorrect.
777 is on the working/tmp dir only, which is not used for any web
content. Also, as the twiki cgi scripts are callable from the command
line by any user, requiring the working/tmp dir to be writable by any
user, I can't think of any way that this is fixable?
I guess for me to act on this, I'll need more information from you.
TWiki does have a very painful set of assumptions, which don't map
easily to debian, and as a non-DD, I need much more help than what
you've provided.
Sven
------------------------------------------
- chmod 777 /tmp/twiki
- chown $TWIKI_OWNER.www-data /tmp/twiki
+ chmod 777 /var/lib/twiki/working/tmp
+ chown $TWIKI_OWNER.www-data /var/lib/twiki/working/tmp
#add softlinks to make adding plugins easier ()
if [ ! -e /var/lib/twiki/lib ]; then
Thanks that you did not sponsor this upload. Why is setting the rights
to 777
done here? This would enable every user on the system to delete web
content
via a symlink attack. The old solution is of course not secure too.
Please fix this.
Kind regards
Nico
On Sun, 2007-10-21 at 19:22 +1000, Sven Dowideit wrote:
> Bizzre,
>
> I don't have any email from Holger, at any time, nor did I search for a
> new sponsor. Ardo has been sponsoring this package for the last few
> years, with Amaya helping me out both with the debian bits, and with
> uploading when things were busy.
>
> so, um, what are you debian people up to?
>
> I also did not receive any information that there was an issue with this
> package, so I guess there's a communications problem somewhere?
>
> anyone want to fill me in?
>
> (yes, I am not a DD, and have little time nor interest in becoming one,
> I'm just trying hard to make twiki easier for people)
>
> Sven
>
> On Sat, 2007-10-20 at 15:06 -0500, Ardo van Rangelrooij wrote:
> > Nico Golde wrote:
> > > Hi,
> > > errm why on earth did you (Sven) search for another sponsor when
> > > Holger was looking into your package but decided not to
> > > upload it because of the changes you made?
> > >
> > > You searched a new sponsor with exactly the same debdiff.
> > >
> > > I am sorry but it looks like this was intentionally because
> > > I Cced you in the mail stating why there is no way for this
> > > package to get uploaded:
> > > http://lists.alioth.debian.org/pipermail/secure-testing-team/2007-October/001416.html
> > >
> > > Why did you ignore this, and Ardo, why did you upload this?
> >
> > Nico,
> >
> > Oops! Totally overlooked this one. Yes, that should never have been
> > uploaded.
> > (For a moment I was afraid I took the wrong version from Sven's website,
> > but
> > this is the only version for this fix.)
> >
> > I also wasn't aware of you being involved in this.
> >
> > Sven,
> >
> > This is not good. Let's never do this again.
> >
> > Thanks,
> > Ardo
> >
> >
--
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner http://wikiring.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
