Package: icingaweb2-common Version: git master Severity: wishlist Tags: security
Hi. I've seen that with commit a7f069b24a2da4bd48f60899b252dfb32079edc6 the user www-data will be readded to the group icingaweb2 on every package configure, which AFAIU also includes updates. Could you please either - don't do this at all (since it's be no means sure that www-data actually needs or should have access to icingaweb2 content) or - at least do it only once on the original installation? This would make leave the setup with the mod_php SAPI continue to work out of the box, while not interfering with the setups of people which deliberately choose to remove www-data from icingaweb2. This makes especially sense in order to not grant anything running in the webserver's context access to the whole Icinga Web 2 configuration which likely includes passwords to databases, or e.g. SSH keys. Best wishes, Chris. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
