Package: dwww
Version: 1.9.25
Severity: wishlist
This bug report may be too long. If so, just page down to the 2nd to
last paragraph for a summary.
A few years ago, wanting a better interface to Debians docs, I installed
a bunch of frontends like 'dwww', 'dhelp', 'gtkman', etc. to try 'em
out. Like many naive users, I wasn't as interested in how these
programs worked as much whether they made looking things up easier. At
which 'dwww' succeeds with flying colors. I had no prior need for, (or
interest in administering), a web server and presumed that if 'dwww'
needed it behind the scenes, then so be it.
It seems that 'dwww' puts its main page online so anybody who looks at
my IP address can read all the many docs 'dwww' offers. A friend who
lives a few towns away pointed this out a while back; it's never caused
any problem, or none I've noticed -- and on a dialup sudden bandwidth
changes are obvious.
Off the top of my head I can think of two reasons why 'dwww' users
might not want their docs public.
1) Loss of bandwidth if they're accessed.
2) Access to '/usr/share/doc' shows what programs a system has
installed. The changelogs in '/usr/share/doc' show what version a given
installed package is. So a miscreant might look for insecure program
versions, which could then be exploited.
But giving 'dwww' the benefit of the doubt, suppose we consider public
docs a feature, not a bug**. So how does one turn this feature off? The
docs in 'dwww' that I've read don't seem to say, nor do they caution
users about it.
(**it's ideal for file servers.)
If 'dwww' is dependent on the web server to turn this off, then it would
be nice to have a few pointers in the docs about how to instruct a web
server to stop making 'dwww' docs world readable.
If it turns out that web servers can't reliably do this; and that yet
another external program, perhaps a firewall, is needed, then the 'dwww'
docs might suggest using one, and maybe some security increasing package
might be added to the 'dwww' package's "Suggests:" field.
I'm not sure if this is this is a 'wishlist' bug, (though I wish
the docs said more about it), or something more severe.
I worry some net-expert might argue: "Well users should NEVER run a web
server if they don't know what they're doing." But a program like
'dwww' is best appreciated by those novices, they're the ones who need
it most. Such a disapproving expert should at least concede that the
current 'dwww' docs and package description do not attempt to warn
novices away from an otherwise useful interface. The package
description seems quite welcoming:
Description: Read all on-line documentation with a WWW browser
All installed on-line documentation will be served via a local HTTP
server. When possible, dwww converts the documentation to HTML.
You need to install both a CGI-capable HTTP server and a WWW
browser to read the documentation.
No mention of security issues there. A "local" server hardly sounds as
though it might be internationally accessible.
Summing up, I wish for docs that would explain or suggest how to close
the blinds of 'dwww' so the whole online world can't peek in. If this
is unfeasible, then 'dwww' should warn novice users of its necessary
dangers.
Hope this helps...
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages dwww depends on:
ii apache [httpd-cgi] 1.3.33-8 versatile, high-performance HTTP s
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii debianutils 2.14.3 Miscellaneous utilities specific t
ii doc-base 0.7.18-0.1 utilities to manage online documen
ii file 4.12-1 Determines file type using "magic"
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii man-db 2.4.3-2 The on-line manual pager
ii menu 2.1.25 generates programs menu for all me
ii perl 5.8.7-5 Larry Wall's Practical Extraction
ii realpath 1.9.25 Return the canonicalized absolute
Versions of packages dwww recommends:
ii apt 0.6.41 Advanced front-end for dpkg
ii dlocate 0.5-0.1 fast alternative to dpkg -L and dp
ii info2www 1.2.2.9-23 Read info files with a WWW browser
-- debconf information:
* dwww/cgiuser: www-data
* dwww/cgidir: /usr/lib/cgi-bin
* dwww/docrootdir: /var/www
* dwww/serverport: 80
* dwww/servername: Arf
dwww/index_docs: true
dwww/nosuchdir:
dwww/nosuchuser:
dwww/badport:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
