Hi Thomas,

On Sat, Nov 22, 2008 at 9:48 AM, Thomas Viehmann <[EMAIL PROTECTED]> wrote:
> given that there seems to be limited interest in fixing the #475737 (3
> weeks since reopen without further comments), how about removing otrs2
> from lenny?

I had sent the following reply to the list (but not to the bug) weeks
ago but I did not get an answer so far:

I agree that it is a FHS violation that will be fixed in unstable and
that we have lived with the problem in sarge and etch but I do not
agree that it is a security problem. That is why I ask for an
exception for lenny.  Let me quote from the bug report:

"... every web application has read access to /etc/otrs/database.pm
which means it can create havoc in the database, install stored
procedures and so on. Every other webapp with a database has the same
problem - not only otrs. It is the duty of the local admin to make
sure that the installation is safe. I do not understand what is so
special about otrs..."

"It is not hard to modify foreign databases when it comes to webapps
that are executed by the same httpd user and BTW stored procedures are
executed in the context of the postgres user."

I am sorry that the FHS issue cannot be fixed easily but the bug
report came very late before the freeze.


Torsten



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to