Debian Bug report logs - #703740
php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 23 Mar 2013 01:05:20 +0100

Source: php5
Version: 5.4.4-15
Severity: important
Tags: security


Hi.

I just noted by chance on an upgrade, that the following files were automatically added back
Only in /etc/php5/cgi/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/cgi/conf.d: 20-pgsql.ini
Only in /etc/php5/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/conf.d: 20-pgsql.ini
which I've had disabled before.

IMHO that shouldn't happen... actually I think, that it would even be better, if _no_
modules are automatically loaded... auto-magic stuff is nice for out-of-the-box games,
but not for serious and secure administration :) ... perhaps a release goal for jessie?! ;)


I mark this as important/security, as unintentionally enabling a module in the "global" /etc/php5/conf.d
could be an issue if that is e.g. security critical and was intentionally only enabled in e.g.
SSL client auth secured URI spaces.


Thanks,
Chris.

Message #10 received at 703740@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>, 703740@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: [php-maint] Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 23 Mar 2013 10:47:57 +0100

[Message part 1 (text/plain, inline)]

tag 703740 -security
severity 703740 wishlist

php5{en,dis}mod are tools for modules to handle the install/remove/purge.

If you want the module disabled either uninstall it, or comment it in the
conf file.

O.


On Sat, Mar 23, 2013 at 1:05 AM, Christoph Anton Mitterer <
calestyo@scientia.net> wrote:

> Source: php5
> Version: 5.4.4-15
> Severity: important
> Tags: security
>
>
> Hi.
>
> I just noted by chance on an upgrade, that the following files were
> automatically added back
> Only in /etc/php5/cgi/conf.d: 20-pdo_pgsql.ini
> Only in /etc/php5/cgi/conf.d: 20-pgsql.ini
> Only in /etc/php5/conf.d: 20-pdo_pgsql.ini
> Only in /etc/php5/conf.d: 20-pgsql.ini
> which I've had disabled before.
>
> IMHO that shouldn't happen... actually I think, that it would even be
> better, if _no_
> modules are automatically loaded... auto-magic stuff is nice for
> out-of-the-box games,
> but not for serious and secure administration :) ... perhaps a release
> goal for jessie?! ;)
>
>
> I mark this as important/security, as unintentionally enabling a module in
> the "global" /etc/php5/conf.d
> could be an issue if that is e.g. security critical and was intentionally
> only enabled in e.g.
> SSL client auth secured URI spaces.
>
>
> Thanks,
> Chris.
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>

[Message part 2 (text/html, inline)]

Message #19 received at 703740@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 712509@bugs.debian.org

Cc: 703740@bugs.debian.org

Subject: Re: Bug#712509: php-common: disabled modules are auto-re-enabled on upgrade

Date: Sun, 16 Jun 2013 22:27:07 +0200

[Message part 1 (text/plain, inline)]

reassign 712509 src:php5
forcemerge 703740 712509
stop

Well... I still think that this is a potential security issue... and at
the least it's very annoying if things one explicitly disabled are
re-enabled again.

Would be the same if a package on upgrade messes around with sysvrc
levels when you explicitly disabled a service.


Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #24 received at 703740@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 703740@bugs.debian.org

Subject: Re: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 03 Aug 2013 20:18:35 +0200

[Message part 1 (text/plain, inline)]

Hi Ondřej

Can it be, that this is already implemented in the meantime? Well at
least partially...

It seems that the new:
/var/lib/php5/modules/
├── cgi
│   ├── disabled_by_admin
│   └── enabled_by_maint
└── registry

Is about just what I was talking about.

I tried it and it worked... :)


One minor thing perhaps:
What I did was e.g.:
php5dismod -s ALL pdo_pgsql pgsql

But it just created cgi, as seen above.
So should I later add another SAPI,... I guess it will be enabled again
for those.

Can't you make a special ALL directory... an always evaluate its
contents in addition?


But apart from that... great work :)
As always, kudos to you and the other PHP maintainers.



Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #29 received at 703740@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>, 703740@bugs.debian.org

Subject: Re: [php-maint] Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 3 Aug 2013 20:27:50 +0200

[Message part 1 (text/plain, inline)]

On Sat, Aug 3, 2013 at 8:18 PM, Christoph Anton Mitterer <
calestyo@scientia.net> wrote:

> Can it be, that this is already implemented in the meantime?
>

Yes.


> One minor thing perhaps:
> What I did was e.g.:
> php5dismod -s ALL pdo_pgsql pgsql
>
> But it just created cgi, as seen above.
> So should I later add another SAPI,... I guess it will be enabled again
> for those.
>

Yes, it will be enabled for the new SAPI.


> Can't you make a special ALL directory... an always evaluate its
> contents in addition?
>

Nope, it's already complicated as is. That would add yet another state,
so unless you send a well tested patch, I will not touch it. It took me
quite a lot of time to catch all states.

O.
-- 
Ondřej Surý <ondrej@sury.org>

[Message part 2 (text/html, inline)]

Message #34 received at 703740@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 703740@bugs.debian.org

Subject: Re: [php-maint] Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 03 Aug 2013 21:01:14 +0200

[Message part 1 (text/plain, inline)]

Then I guess we can close the bug...



Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #39 received at 703740-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 703740-done@bugs.debian.org

Subject: Re: [php-maint] Bug#703740: Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Date: Sat, 3 Aug 2013 21:40:22 +0200

[Message part 1 (text/plain, inline)]

Version: php5/5.5.0+dfsg-7


On Sat, Aug 3, 2013 at 9:01 PM, Christoph Anton Mitterer <
calestyo@scientia.net> wrote:

> Then I guess we can close the bug...
>
>
>
> Cheers,
> Chris.
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.