Package: icecast2
Version: 2.3.2-2
Severity: minor
Currently, the package sets overly restrictive permissions on
some of its files upon configuration. Namely, the postinst
script contains:
$ nl -ba /var/lib/dpkg/info/icecast2.postinst
...
41
42 chown -R icecast2: /var/log/icecast2 /etc/icecast2
43 chmod -R ug=rw,o=,ug+X /etc/icecast2
44
...
$
I deem o= unreasonable, as I see nothing wrong in, e. g., a user
inspecting the XSL-templates provided. Apparently, the only
file which requires such a protection is
/etc/icecast2/icecast.xml, since it contains a number of
passwords.
Furthermore, this setup effectively prevents a user from
starting his own server, for the purposes of a test, or
otherwise, as while the configuration file could easily be
written using the documentation and the provided examples, the
necessary XSL-templates won't be available. (As a work-around,
the user attempting to start a server could $ dpkg -x the
package for the necessary files.)
(Not to mention that it's unclear whether the XSL templates
should be put into /etc at all. Would it make sense to put,
e. g., entire Web sites into /etc? Especially when considering
the sites based on some software, like Wiki engines, etc.)
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]