On Thu, 17 Dec 2009 16:13:36 +0200, Teodor wrote: > Package: cacti > Version: 0.8.7e-1.1 > Severity: grave > Tags: security > Justification: user security hole > > I've noticed in the past that cacti RE-adds the symbolic link > conf.d/cacti.conf > on every upgrade even if the source file was *manually* removed by the > sysadmin. > This is done to restrict the access to 'cacti' on each virtual web site (the > default behaviour in Debian). > > The first problem is that it creates access to restricted data (for those that > kept the /etc/cacti/apache.conf configuration file). > > The second problem is that 'apache2' fails to start at boot from the same > reason > if fails to reload on cacti postinstall: > | Not replacing deleted config file /etc/cacti/apache.conf > | apache2: Syntax error on line 278 of /etc/apache2/apache2.conf: Could not > | open configuration file /etc/apache2/conf.d/cacti.conf: No such file or > | directory > | failed! > | invoke-rc.d: initscript apache2, action "reload" failed. > > As it can be seen postinstall already has a check for the existence of the > config > file /etc/cacti/apache.conf. Please add the same check for creating the > symlink.
this may very well appear to be an issue, but i don't think removing conf files is a good way of trying to increase security. it is certainly not the debian way, and i think all bets are off when it comes to what packages do when their files have gone missing. it is much more optimal to manually edit the conf files to achieve whatever security level you desire. as an added bonus, when you upgrade the package, you will get the option to keep your modified conf files. best wishes, mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
