Debian Bug report logs - #565738
drupal6: Bad apache configuration - Should not install/enable anything in /etc/apache2/conf.d/drupal

version graph

Package: drupal6; Maintainer for drupal6 is Luigi Gangitano <luigi@debian.org>;

Reported by: "Daniel Reurich \(Centurion Computer Technology\)" <centurion@wl.co.nz>

Date: Mon, 18 Jan 2010 13:33:01 UTC

Severity: important

Found in version drupal6/6.15-1

Fixed in version drupal6/6.20-1

Done: Luigi Gangitano <luigi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Mon, 18 Jan 2010 13:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Daniel Reurich \(Centurion Computer Technology\)" <centurion@wl.co.nz>:
New Bug report received and forwarded. Copy sent to Luigi Gangitano <luigi@debian.org>. (Mon, 18 Jan 2010 13:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Daniel Reurich \(Centurion Computer Technology\)" <centurion@wl.co.nz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: drupal6: Bad apache configuration - Should not install/enable anything in /etc/apache2/conf.d/drupal
Date: Tue, 19 Jan 2010 02:21:55 +1300
Package: drupal6
Version: 6.15-1
Severity: important

By symlinking /etc/drupal/6/apache.conf to /etc/apache2/conf.d/drupal6 causes drupal to be accessible from every site hosted by the apache server whether it is wanted or not.  This may not (and is certainly not for me ) be the expected or wanted default behaviour for a drupal installation.  

This behaviour I believe to be an abuse of the /etc/apache2/conf.d
location, which should not be used to "make it just work easy".

Please don't do this, and certainly not without having debconf ask
first.

-- System Information:
Debian Release: 5.0.2
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages drupal6 depends on:
ii  apache2                  2.2.14-1        Apache HTTP Server metapackage
ii  apache2-mpm-prefork [htt 2.2.14-1        Apache HTTP Server - traditional n
ii  curl                     7.19.7-1        Get a file from an HTTP, HTTPS or 
ii  dbconfig-common          1.8.41          common framework for packaging dat
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  mysql-client-5.0 [virtua 5.0.81-1        MySQL database client binaries
ii  php5                     5.2.11.dfsg.1-2 server-side, HTML-embedded scripti
ii  php5-gd                  5.2.11.dfsg.1-2 GD module for php5
ii  php5-mysql               5.2.11.dfsg.1-2 MySQL module for php5
ii  php5-pgsql               5.2.11.dfsg.1-2 PostgreSQL module for php5
ii  postfix [mail-transport- 2.5.5-1.1       High-performance mail transport ag
ii  postgresql-client-8.3 [p 8.3.7-1         front-end programs for PostgreSQL 
ii  wwwconfig-common         0.2.1           Debian web auto configuration

Versions of packages drupal6 recommends:
ii  mysql-server                  5.0.81-1   MySQL database server (metapackage
ii  mysql-server-5.0 [mysql-serve 5.0.81-1   MySQL database server binaries
ii  postgresql                    8.3.7-1    object-relational SQL database (su

drupal6 suggests no packages.

-- debconf-show failed




Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Sat, 24 Apr 2010 15:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to jmroth+debbug@iip.lu:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Sat, 24 Apr 2010 15:30:05 GMT) Full text and rfc822 format available.


Message #10 received at 565738@bugs.debian.org (full text, mbox):

From: jmroth+debbug@iip.lu
To: 565738@bugs.debian.org
Date: Sat, 24 Apr 2010 17:17:49 +0200
Yeah, probably debconf should be used to ask which webservers should
be configured (or not).
However, this doesn't strike me as being that important since Drupal
has a quite good multisite behavior, i.e. it won't show anything under
a domain for which it hasn't been configured.




Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Sun, 19 Sep 2010 20:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Taggart <taggart@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Sun, 19 Sep 2010 20:36:03 GMT) Full text and rfc822 format available.

Message #15 received at 565738@bugs.debian.org (full text, mbox):

From: Matt Taggart <taggart@debian.org>
To: 565738@bugs.debian.org
Subject: drupal: shouldn't enable on all sites by default
Date: Sun, 19 Sep 2010 13:34:05 -0700
The original submitter of #565738 is correct, drupal shouldn't enable for 
all sites on the server by default. It's not enough that "it won't show 
anything under
a domain for which it hasn't been configured", it still allows access and 
reveals things that shouldn't be by serving the "site off-line" page.

At the very least the Alias needs to be removed and then users that want 
drupal enabled for a site can add the alias to that site (so you probably 
need something in /usr/share/doc/drupal6/ to explain how users get 
started). I don't know if it would still be OK for the Directory section to 
exist, I'd ask debian-apache@lists.debian.org.

-- 
Matt Taggart
taggart@debian.org






Severity set to 'grave' from 'important' Request was from Matt Taggart <taggart@debian.org> to control@bugs.debian.org. (Sun, 19 Sep 2010 20:36:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Mon, 20 Sep 2010 12:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luigi Gangitano <gangitano@lugroma3.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Mon, 20 Sep 2010 12:36:03 GMT) Full text and rfc822 format available.

Message #22 received at 565738@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <gangitano@lugroma3.org>
To: Matt Taggart <taggart@debian.org>, 565738@bugs.debian.org
Subject: Re: Bug#565738: drupal: shouldn't enable on all sites by default
Date: Mon, 20 Sep 2010 14:32:58 +0200
Matt,
can you please explain why you think this bug is 'grave' and not just 'important'?

To me, grave definition is:

makes the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package

and I cannot se any of this characteristics in this bug. Nor I found any debian policy violated. Can you point me to it?

Regards,

L

--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26





Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Mon, 20 Sep 2010 18:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Taggart <taggart@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Mon, 20 Sep 2010 18:27:08 GMT) Full text and rfc822 format available.

Message #27 received at 565738@bugs.debian.org (full text, mbox):

From: Matt Taggart <taggart@debian.org>
To: Luigi Gangitano <gangitano@lugroma3.org>
Cc: Matt Taggart <taggart@debian.org>, 565738@bugs.debian.org
Subject: Re: Bug#565738: drupal: shouldn't enable on all sites by default
Date: Mon, 20 Sep 2010 11:22:51 -0700
> Matt,
> can you please explain why you think this bug is 'grave' and not just =
> 'important'?
> 
> To me, grave definition is:
> 
> makes the package in question unusable or mostly so, or causes data
> loss, or introduces a security hole allowing access to the accounts of
> users who use the package

IMO it's a security bug, but downgrade if you disagree.

Thanks,

-- 
Matt Taggart
taggart@debian.org






Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Mon, 20 Sep 2010 20:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Mon, 20 Sep 2010 20:27:05 GMT) Full text and rfc822 format available.

Message #32 received at 565738@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: Matt Taggart <taggart@debian.org>, 565738@bugs.debian.org
Cc: Luigi Gangitano <gangitano@lugroma3.org>
Subject: Re: Bug#565738: drupal: shouldn't enable on all sites by default
Date: Mon, 20 Sep 2010 15:23:41 -0500
Matt Taggart dijo [Mon, Sep 20, 2010 at 11:22:51AM -0700]:
> IMO it's a security bug, but downgrade if you disagree.
> 
> Thanks,

I tend to disagree - And it is a characteristic I really appreciate
about Debian's packaging of Drupal: One of those great instances of
"Install. It just works." that defines our distribution.

AFAICT, most CGI-shipping (maybe even PHP-shipping) packages drop them
in a directory where they are accessible by a out-of-the-box install
of several of our webservers.

Still, it does warrant some thought.




Message sent on to "Daniel Reurich \(Centurion Computer Technology\)" <centurion@wl.co.nz>:
Bug#565738. (Sun, 14 Nov 2010 20:06:07 GMT) Full text and rfc822 format available.

Message #35 received at 565738-submitter@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: gangitano@lugroma3.org, 565738-submitter@bugs.debian.org, Gunnar Wolf <gwolf@debian.org>
Subject: Re: Bug#565738: drupal: shouldn't enable on all sites by default
Date: Sun, 14 Nov 2010 21:02:44 +0100
[Message part 1 (text/plain, inline)]
I agree with Gunnar.
This big is not realy security relevant, it would be, if there were open
security issues with..

Users could deactivate drupal easily by just removing the symlink and
this method is used by several other packages, so that they work after
installation.

Sure it would be nice to get asked by debconf if it should be activated,
but that is something like "wishlist" IMHO.

I recommend, that the submitter of this report or the package maintainer
will downgrade this bug to something != release critical.

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Sun, 28 Nov 2010 13:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Fournier <marc.fournier@camptocamp.com>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Sun, 28 Nov 2010 13:00:03 GMT) Full text and rfc822 format available.

Message #40 received at 565738@bugs.debian.org (full text, mbox):

From: Marc Fournier <marc.fournier@camptocamp.com>
To: 565738@bugs.debian.org
Subject: drupal6: please lower #565738 severity to non-RC
Date: Sun, 28 Nov 2010 13:51:00 +0100
Excerpt from /usr/share/doc/apache2.2-common/README.Debian.gz:

    If the local administrator is not comfortable with packages
    activating their config files by default, it is possible
    to change the 'Include /etc/apache2/conf.d/' in apache2.conf
    into 'Include /etc/apache2/conf.d.enabled/' and create that
    directory. He can then put symlinks to the files in conf.d
    which he wants to enable into conf.d.enabled.


Given this bug:
 - has a workaround as suggested above
 - is the same as #553173 and #604980
 - could apply to many other packages (nagios, gitweb, doc-central, etc)
 - should probably get fixed in apache itself (#605227)
 - is a release blocker

I suggest its severity should get lowered.

Many thanks !




Added blocking bug(s) of 565738: 605227 Request was from Marc Fournier <marc.fournier@camptocamp.com> to control@bugs.debian.org. (Sun, 28 Nov 2010 13:00:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#565738; Package drupal6. (Wed, 08 Dec 2010 22:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Wed, 08 Dec 2010 22:33:03 GMT) Full text and rfc822 format available.

Message #47 received at 565738@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Marc Fournier <marc.fournier@camptocamp.com>
Cc: 565738@bugs.debian.org, control@bugs.debian.org
Subject: Re: drupal6: please lower #565738 severity to non-RC
Date: Wed, 8 Dec 2010 23:29:42 +0100
severity 565738 important
thanks

On Sun, Nov 28, 2010 at 01:51:00PM +0100, Marc Fournier wrote:
> Excerpt from /usr/share/doc/apache2.2-common/README.Debian.gz:
> 
>     If the local administrator is not comfortable with packages
>     activating their config files by default, it is possible
>     to change the 'Include /etc/apache2/conf.d/' in apache2.conf
>     into 'Include /etc/apache2/conf.d.enabled/' and create that
>     directory. He can then put symlinks to the files in conf.d
>     which he wants to enable into conf.d.enabled.
> 
> 
> Given this bug:
>  - has a workaround as suggested above
>  - is the same as #553173 and #604980
>  - could apply to many other packages (nagios, gitweb, doc-central, etc)
>  - should probably get fixed in apache itself (#605227)
>  - is a release blocker
> 
> I suggest its severity should get lowered.

I agree. Since Luigi suggested the same as the maintainer, I'm going
ahead and lower the severity.

Cheers,
        Moritz




Severity set to 'important' from 'grave' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Wed, 08 Dec 2010 22:33:08 GMT) Full text and rfc822 format available.

Reply sent to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility. (Fri, 18 Feb 2011 20:36:07 GMT) Full text and rfc822 format available.

Notification sent to "Daniel Reurich \(Centurion Computer Technology\)" <centurion@wl.co.nz>:
Bug acknowledged by developer. (Fri, 18 Feb 2011 20:36:07 GMT) Full text and rfc822 format available.

Message #54 received at 565738-close@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: 565738-close@bugs.debian.org
Subject: Bug#565738: fixed in drupal6 6.20-1
Date: Fri, 18 Feb 2011 20:34:13 +0000
Source: drupal6
Source-Version: 6.20-1

We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:

drupal6_6.20-1.diff.gz
  to main/d/drupal6/drupal6_6.20-1.diff.gz
drupal6_6.20-1.dsc
  to main/d/drupal6/drupal6_6.20-1.dsc
drupal6_6.20-1_all.deb
  to main/d/drupal6/drupal6_6.20-1_all.deb
drupal6_6.20.orig.tar.gz
  to main/d/drupal6/drupal6_6.20.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 565738@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated drupal6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 18 Feb 2011 20:00:12 +0100
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.20-1
Distribution: unstable
Urgency: low
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description: 
 drupal6    - a fully-featured content management framework
Closes: 565738 613343
Changes: 
 drupal6 (6.20-1) unstable; urgency=low
 .
   [ Luigi Gangitano ]
   * New upstream release (Closes: #613343)
 .
   * debian/watch
     - Updated watch file to changed upstream repo
 .
   * debian/{drupal6.post{inst,rm},README.Debian}
     - Removed automatic link in apache2 configuration directory, added
       instructions on how to enable to README.Debian (Closes: #565738)
Checksums-Sha1: 
 22b2dcd891fd5e7022ad1e4abdf2f2da7aee02b7 1115 drupal6_6.20-1.dsc
 948f26f7c52aade0f1d7ac7dd36f358b1afd4ef7 1100246 drupal6_6.20.orig.tar.gz
 17c320643c3a0f81763f17e442f43b3f06bfc6df 18955 drupal6_6.20-1.diff.gz
 2203aafb5cffc1bff3c9907103e1e86fb907b70a 1131510 drupal6_6.20-1_all.deb
Checksums-Sha256: 
 dac6d1b7f23f9628ce5b39329ff65c14a8b1c1c30b79724f9380a0cab3d00f1b 1115 drupal6_6.20-1.dsc
 8403a06c1887c0821a78da4af3a5d3cbff43773c22c5cc63542d89b645ba4d8b 1100246 drupal6_6.20.orig.tar.gz
 bfd31b87892b928eea94c8939c0b1204a2b144ff8e76dc1128542ae74a8c42d1 18955 drupal6_6.20-1.diff.gz
 363203ff8019c31ecd173ae18f4ad158f665c183a019c34e94ee06649a4d8b13 1131510 drupal6_6.20-1_all.deb
Files: 
 8d3627e021949a0abaeb77adbfac12ba 1115 web extra drupal6_6.20-1.dsc
 a4f59401fbb3e20e3a03ac5fc11bd27c 1100246 web extra drupal6_6.20.orig.tar.gz
 114cef524ec10f661be27586fc70905d 18955 web extra drupal6_6.20-1.diff.gz
 5a547f568f1ef976928413025413c811 1131510 web extra drupal6_6.20-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk1ezOEACgkQ8ZumGJJMDCYMhACfe+8RRlw39u4grsHIywJhZW1h
cawAmQHzyKDsdJcIAiKktpxr6FN90OyM
=NL9H
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 29 Mar 2011 07:34:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:16:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.