Le mercredi 11 juin 2008 à 15:48 +0200, Olivier Berger a écrit : > Hello. > > I assume that my RTFM argument made its point, and the realty of the > issue is acknowledged, so I'm trying get back to the proposal for a > solution. > SNIP
> I have reviewed my previous proposed patch, and am proposing a new > version of changes for the package's scripts. > I have put some more efforts in trying to propose a cleaner fix for that bug. You'll find the improved patch to be applied to the package's sources in attachment. Note that it now manages debconf better, asking password twice, and comparing inputs. There are template changes (btw, thanks bubulle for advices), that would need to be translated, alongside with other translations not yet included, probably in a joint NMU to come (see details regarding translations in #458573). Hope this helps, -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
diff -u twiki-4.1.2/debian/templates twiki-4.1.2/debian/templates
--- twiki-4.1.2/debian/templates
+++ twiki-4.1.2/debian/templates
@@ -35,0 +36,34 @@
+
+Template: twiki/configuser
+Type: string
+Default: configuser
+_Description: User allowed to configure TWiki
+ Please enter the username allowed to access the configure script.
+ .
+ This user will be the only one allowed to access the configure script at
+ ${site}/cgi-bin/configure.
+
+Template: twiki/configpassword
+Type: password
+_Description: Configure user's password
+ Please enter password for user ${configuser}.
+ .
+ This is the password for the user '${configuser}' which will be the
+ only one allowed to access the configure script at
+ ${site}/cgi-bin/configure
+ .
+ This password should be non-trivial.
+
+Template: twiki/configpassword_again
+Type: password
+_Description: Configure user's password (again)
+ Re-enter password of user ${configuser} for verification:
+ .
+ Please enter the same password again to verify you have typed it
+ correctly.
+
+Template: twiki/password_mismatch
+Type: text
+_Description: Password mismatch.
+ The passwords you entered didn't match. Please try again.
+
diff -u twiki-4.1.2/debian/config twiki-4.1.2/debian/config
--- twiki-4.1.2/debian/config
+++ twiki-4.1.2/debian/config
@@ -1,4 +1,5 @@
#!/bin/sh
+
set -e
# Source debconf library.
@@ -14,3 +15,58 @@
+
+db_go || true
+
+# ask for config user (default: configuser)
+db_get "twiki/defaultUrlHost"
+site="$RET"
+db_subst "twiki/configuser" "site" "$site"
+# medium = may be initialized to default value
+db_input medium twiki/configuser || true
+
+db_go || true
+
+db_get twiki/configuser
+configuser="$RET"
+db_subst "twiki/configpassword" "configuser" "$configuser"
+db_subst "twiki/configpassword_again" "configuser" "$configuser"
+db_subst "twiki/configpassword" "site" "$site"
+
+pass_ok="false"
+while [ "$pass_ok" != "true" ]; do
+ # Ask for password
+ # high : password must be typed-in
+ db_input high twiki/configpassword || [ $? -eq 30 ]
+
+ # Ask for password again
+ db_input high twiki/configpassword_again || [ $? -eq 30 ]
+ db_go
+
+ db_get twiki/configpassword
+ password="$RET"
+ db_get twiki/configpassword_again
+ password_again="$RET"
+
+ # If password are not equals, loop again
+ if [ "$password" != "$password_again" ]; then
+
+ # Reset the template used.
+ db_reset "twiki/configpassword" || true
+ db_fset "twiki/configpassword" "seen" "false" || true
+ db_reset "twiki/configpassword_again" || true
+ db_fset "twiki/configpassword_again" "seen" "false" || true
+ # Promt the user.
+ db_input critical "twiki/password_mismatch" || true
+
+ # Loop again
+ continue
+ fi
+
+ pass_ok="true"
+ db_reset twiki/configpassword_again
+done
+
# add info due to 3-4 bug reports
db_input high twiki/apacheUserCreationNote || true
db_go || true
+
+db_stop
+
diff -u twiki-4.1.2/debian/changelog twiki-4.1.2/debian/changelog
--- twiki-4.1.2/debian/changelog
+++ twiki-4.1.2/debian/changelog
@@ -1,3 +1,12 @@
+twiki (1:4.1.2-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Protect configure script which used to be world accessible as a
+ trivial user : will now be accessible only from localhost as a
+ specific user, which is configured through Debconf. (Closes: #485562)
+
+ -- Olivier Berger <[EMAIL PROTECTED]> Thu, 26 Jun 2008 08:17:52 +0200
+
twiki (1:4.1.2-3.1) unstable; urgency=low
* Non-maintainer upload.
diff -u twiki-4.1.2/debian/postinst twiki-4.1.2/debian/postinst
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -74,7 +74,13 @@
perl -pi~ -e 's/^(\s*\*\s*Set\s*SMTPMAILHOST\s*=\s*).*(\r\n)$/$1$2/;' /var/lib/twiki/data/TWiki/TWikiPreferences.txt
fi
+# user + password authorized to run configure script
+db_get twiki/configuser
+configuser="$RET"
+perl -pi~ -e '$U=q{'"$RET"'}; s/^([^#]*Require user).*/$1 $U/g;' /etc/twiki/apache.conf
+db_get twiki/configpassword
+configpassword="$RET"
# prevent further confusion: done with debconfig
@@ -82,8 +88,6 @@
# Rewrite this in perl, if we ever find a non-kerberos example of how
# to do so.
-db_stop
-
case "$1" in
configure)
# P=/usr/lib/cgi-bin/twiki
@@ -126,6 +130,7 @@
if [ ! -e /var/lib/twiki/data/.htpasswd ]; then
touch /var/lib/twiki/data/.htpasswd
$HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd TWikiGuest guest
+ $HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd "$configuser" "$configpassword"
chown $TWIKI_OWNER.www-data /var/lib/twiki/data/.htpasswd
chmod 660 /var/lib/twiki/data/.htpasswd
fi
@@ -177,6 +182,12 @@
chown -R $TWIKI_OWNER.www-data /var/log/twiki
chmod -R 755 /var/log/twiki
chown $TWIKI_OWNER.www-data /etc/twiki/LocalSite.cfg
+
+ # erase configuser password
+ db_reset "twiki/configpassword"
+
+ db_stop
+
# reload apache configs
for server in $servers; do
@@ -185,6 +196,7 @@
/etc/init.d/$server reload
fi
done
+
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff -u twiki-4.1.2/debian/apache.conf twiki-4.1.2/debian/apache.conf
--- twiki-4.1.2/debian/apache.conf
+++ twiki-4.1.2/debian/apache.conf
@@ -127,8 +127,9 @@
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
- Require user TWikiGuest
- Satisfy Any
+# Require user TWikiGuest
+ Require user %CONFIGUSER%
+# Satisfy Any
</FilesMatch>
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
only in patch2:
unchanged:
signature.asc
Description: Ceci est une partie de message numériquement signée
