Having slept on it, I agree with Vincent and Dmitry. I think there is no sane way to have a secure session dir for cgi apps that might at any time need to be recreated with a unique name... basically, imagine what happens when you have a heavily loaded server, each of 100s of cgi scripts realising that the session dir has gone, and they all create a unique new one, and try to update the cfg file!!!
seriously bad news. I will re-do the twiki package to rely on /var/run/twiki (or /var/lib/twiki/tmp if someone here suggests so) and a cronjob. Post Lenny, I think is is desperatly important for DD's to get a Secure cgi session _file_ policy created - and I suspect, some support systems to ensure that it won't cause the server issues such as filling up /var, preventing logging (the reason that I originally was asked to move it out of /var/lib/twiki). Could someone please give me an idea of how long i have before it is too late to fix this for lenny? Sven Olivier Berger wrote: > Hi Vincent. > > Le samedi 16 août 2008 à 13:26 +0200, Vincent Bernat a écrit : >> I would be happy to upload your fix but I disagree with it. As pointed >> by Olivier at the end of the bug report, /tmp can be flushed at boot or >> by some cronjobs. Therefore, you cannot ensure that the twiki directory >> still exists when twiki will be running. >> >> I cannot give an universal solution, but in Roundcube, we use >> /var/lib/roundcube/temp and we provide a cron job that will clean it >> every m days where <m> can be set by the user in /etc/default/roundcube >> (and I just noticed that this is broken... will upload a fix). This way, >> we don't fill up /var but we don't rely on anything in /tmp. Moreover, >> we don't have to handle a complex script in postinst to circumvent >> symlinks attacks. >> >> The problem with webapps is that we don't have a clear policy of what to >> do. You can just look at other packages, like phpmyadmin, mediawiki, >> etc. Each attempt to establish a webapps policy seems to be aborted. > > That's why I asked for advice on debian-devel@ with no success :( > http://lists.debian.org/debian-devel/2008/08/msg00340.html > > Feel free to comment anyway ;) > > Best regards, -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
