On Tue, May 7, 2013 02:55, Christoph Anton Mitterer wrote: > On Mon, 2013-05-06 at 14:59 -0600, Bob Proulx wrote: >> > 1) We should try to educate users not to use mod_php. >> If "Best Practices" such as this were documented such as on the Debian >> wiki then it would go a long way to making this easy for users to do. >> They could then simple follow recipies to good practices. > Well but right now many packages rather assume that one uses mod_php... > > I run several PHP programs on our faculty (e.g. icinga-classic, > icinga-web, pnp)... all of them with CGI each of them running with it's > own user and thereby also doing the DB authentication... > > Setting this up was really time consuming as it required lots of trying, > especially when also "hardening" php.ini per each of these programs (and > therefore most end users simply won't to it)... in an ideal world... > such things would be better supported.
We're running many different packaged PHP applications withoud mod_php but via mod_fgid + php5-cgi. In every case we didn't encounter any point where the packaging made assumptions about running on mod_php. So if you know of such packages, just file a bug there - it's not a pervasive problem as far as my experience goes. Debian packages do assume that they're running as www-data, but this is not related to whether you use mod_php and is codified in Debian Policy. As for hardening the shipped php.ini - I suggest that you file a bug against php5 with suggested changes and we can discuss the pros and cons of each for jessie. All in all I don't see any Release Goal material yet, here. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2c063e8c2338d942ae3f0b2233a4ccaf.squir...@aphrodite.kinkhorst.nl