-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 24, 2008 at 01:25:26PM +0200, Andreas Henriksson wrote:
>Awstats cronjob runs as www-data -> no read permission. :( >I've commited the patch anyway, since pointing at non-existant logfiles >isn't any better then pointing at those you don't have permission to >read. Hmm - actually it might be better to not change, then: Both setups won't work as is. But changing the configuration file on systems that works already will cause package update scripts to ask if you want to update configurations to the new default - which is of no benefit, only confusion. >Running the cronjob as root ... is unacceptable IMO! >Using debconf to ask the user and configure logfiles to be >world-readable could be an option, Needs other changes too, like editing logrotate snippet which is owned by the apache package so illegal to touch by our package. We can only instruct local admin to consider changing it. >Adding an awstats user which is member of group adm seems best, but >I'll have to read up on exactly what being an adm member gives you >access to Most logfiles. Might make sense for a setup that only parses weblogs producing static files for the webserver to serve. But I do not trust AWStats enough to allow web access to adm group by default! >and I guess this would break the (default disabled?) config >option of being able to trigger an "update now" from the web. If it isn't already disabled by default it really should be IMO: Leave possible security problems to adventurous local admins! >I guess we should ask the apache2 team what they think is the best way. At debconf in Finland a few years ago we discussed some web apps policy. I don't know what happened since. Try search at http://wiki.debian.org/ >OTOH, it might be better to just ship now. We're not worse off then >before, and it would be nice to have that RC bug closed. As I wrote above, we are actually slightly worse off than before: As is the change is only cosmetic, and the "cosmetic" question it raises when updating package on systems with locally edited config files is worse IMO. I suggest rolling back the config change before releasing, postponing that change until it has some real use. - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIOEFwn7DbMsAkQLgRAkECAJsGElCaHpWhfV5H8pHBluwhsbn99wCgoAZ9 FE5gIKIJdzm+tH0TOIfv2GA= =8RXB -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]