Having slept on it, I agree with Vincent and Dmitry.

I think there is no sane way to have a secure session dir for cgi apps
that might at any time need to be recreated with a unique name...
basically, imagine what happens when you have a heavily loaded server,
each of 100s of cgi scripts realising that the session dir has gone, and
they all create a unique new one, and try to update the cfg file!!!

seriously bad news.

I will re-do the twiki package to rely on /var/run/twiki (or
/var/lib/twiki/tmp if someone here suggests so) and a cronjob.

Post Lenny, I think is is desperatly important for DD's to get a Secure
cgi session _file_ policy created - and I suspect, some support systems
to ensure that it won't cause the server issues such as filling up /var,
preventing logging (the reason that I originally was asked to move it
out of /var/lib/twiki).

Could someone please give me an idea of how long i have before it is too
late to fix this for lenny?

Sven

Olivier Berger wrote:
> Hi Vincent.
> 
> Le samedi 16 août 2008 à 13:26 +0200, Vincent Bernat a écrit :
>> I would be happy  to upload your fix but I disagree  with it. As pointed
>> by Olivier at the end of the  bug report, /tmp can be flushed at boot or
>> by some cronjobs. Therefore, you  cannot ensure that the twiki directory
>> still exists when twiki will be running.
>>
>> I  cannot  give  an  universal   solution,  but  in  Roundcube,  we  use
>> /var/lib/roundcube/temp and  we provide  a cron job  that will  clean it
>> every m days where <m> can  be set by the user in /etc/default/roundcube
>> (and I just noticed that this is broken... will upload a fix). This way,
>> we don't fill  up /var but we don't rely on  anything in /tmp. Moreover,
>> we  don't have  to handle  a complex  script in  postinst  to circumvent
>> symlinks attacks.
>>
>> The problem with webapps is that we don't have a clear policy of what to
>> do. You  can just  look at other  packages, like  phpmyadmin, mediawiki,
>> etc. Each attempt to establish a webapps policy seems to be aborted.
> 
> That's why I asked for advice on debian-devel@ with no success :(
> http://lists.debian.org/debian-devel/2008/08/msg00340.html
> 
> Feel free to comment anyway ;)
> 
> Best regards,

-- 
Professional Wiki Innovation and Support
Sven Dowideit - http://DistributedINFORMATION.com
A WikiRing Partner - http://wikiring.com
Public key -
http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to