Package: dwww Version: 1.9.25 Severity: wishlist
This bug report may be too long. If so, just page down to the 2nd to last paragraph for a summary. A few years ago, wanting a better interface to Debians docs, I installed a bunch of frontends like 'dwww', 'dhelp', 'gtkman', etc. to try 'em out. Like many naive users, I wasn't as interested in how these programs worked as much whether they made looking things up easier. At which 'dwww' succeeds with flying colors. I had no prior need for, (or interest in administering), a web server and presumed that if 'dwww' needed it behind the scenes, then so be it. It seems that 'dwww' puts its main page online so anybody who looks at my IP address can read all the many docs 'dwww' offers. A friend who lives a few towns away pointed this out a while back; it's never caused any problem, or none I've noticed -- and on a dialup sudden bandwidth changes are obvious. Off the top of my head I can think of two reasons why 'dwww' users might not want their docs public. 1) Loss of bandwidth if they're accessed. 2) Access to '/usr/share/doc' shows what programs a system has installed. The changelogs in '/usr/share/doc' show what version a given installed package is. So a miscreant might look for insecure program versions, which could then be exploited. But giving 'dwww' the benefit of the doubt, suppose we consider public docs a feature, not a bug**. So how does one turn this feature off? The docs in 'dwww' that I've read don't seem to say, nor do they caution users about it. (**it's ideal for file servers.) If 'dwww' is dependent on the web server to turn this off, then it would be nice to have a few pointers in the docs about how to instruct a web server to stop making 'dwww' docs world readable. If it turns out that web servers can't reliably do this; and that yet another external program, perhaps a firewall, is needed, then the 'dwww' docs might suggest using one, and maybe some security increasing package might be added to the 'dwww' package's "Suggests:" field. I'm not sure if this is this is a 'wishlist' bug, (though I wish the docs said more about it), or something more severe. I worry some net-expert might argue: "Well users should NEVER run a web server if they don't know what they're doing." But a program like 'dwww' is best appreciated by those novices, they're the ones who need it most. Such a disapproving expert should at least concede that the current 'dwww' docs and package description do not attempt to warn novices away from an otherwise useful interface. The package description seems quite welcoming: Description: Read all on-line documentation with a WWW browser All installed on-line documentation will be served via a local HTTP server. When possible, dwww converts the documentation to HTML. You need to install both a CGI-capable HTTP server and a WWW browser to read the documentation. No mention of security issues there. A "local" server hardly sounds as though it might be internationally accessible. Summing up, I wish for docs that would explain or suggest how to close the blinds of 'dwww' so the whole online world can't peek in. If this is unfeasible, then 'dwww' should warn novice users of its necessary dangers. Hope this helps... -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Versions of packages dwww depends on: ii apache [httpd-cgi] 1.3.33-8 versatile, high-performance HTTP s ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy ii debianutils 2.14.3 Miscellaneous utilities specific t ii doc-base 0.7.18-0.1 utilities to manage online documen ii file 4.12-1 Determines file type using "magic" ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii man-db 2.4.3-2 The on-line manual pager ii menu 2.1.25 generates programs menu for all me ii perl 5.8.7-5 Larry Wall's Practical Extraction ii realpath 1.9.25 Return the canonicalized absolute Versions of packages dwww recommends: ii apt 0.6.41 Advanced front-end for dpkg ii dlocate 0.5-0.1 fast alternative to dpkg -L and dp ii info2www 1.2.2.9-23 Read info files with a WWW browser -- debconf information: * dwww/cgiuser: www-data * dwww/cgidir: /usr/lib/cgi-bin * dwww/docrootdir: /var/www * dwww/serverport: 80 * dwww/servername: Arf dwww/index_docs: true dwww/nosuchdir: dwww/nosuchuser: dwww/badport: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]