[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Koha-devel] Issues for README.txt and Makefile.PL
From: |
MJ Ray |
Subject: |
Re: [Koha-devel] Issues for README.txt and Makefile.PL |
Date: |
Mon, 26 Nov 2007 11:42:02 +0000 |
User-agent: |
Heirloom mailx 12.2 01/07/07 |
"Thomas Dukleth" <address@hidden> wrote: [...]
> As I was preparing some proposed fixes, Joshua Ferraro informed me that
> there are various pending fixes from a few people. Some of the pending
> fixes will not be pushed up to the Koha git repository because they
> conflict with other more complete fixes. [...]
That seems like the wrong solution to me. If people aren't creating
and pushing unannounced fixes to the main repo fast enough, the
conflicts are their lookout IMO. For example, I didn't know Galen
Charlton was also working on the PL_FILES problems until your email.
A few comments on the other aspects:
> [...] Vincent Danjean has some supplementary Debian packages at
> http://www-id.imag.fr/Laboratoire/Membres/Danjean_Vincent/deb.html and MJ
> Ray has some at http://serene.ttllp.co.uk/~mjr/ . At some point, these
> should be placed in repository for apt to use.
They will be placed in the main repositories. Vincent Danjean has
pushed some packages to pkg-perl just this weekend.
> 2.1. PROBLEMS PREVENTING SUCCESSFUL MAKE.
>
> File globbing which captures directories builds a makefile which aborts
> with the following error when running make.
>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> ERROR: Cannot copy 'installer/data/mysql/fr/mandatory' to
> '/usr/local/lib/cgi-bin/koha/installer/data/mysql/fr/mandatory': Is a
> directory
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> at -e line 1
> make: *** [pm_to_blib] Error 21
>
> Changing general file globbing from * to *.* for using the '.' in
> filenames can fix that problem. However, that solution is not robust if
> files are not in *.* form and at least needs a specific correction for
> .htaccess as the only file which does not match the pattern.
A better fix might be to check that glob returns are files with -f or
at least ! -d.
> 2.3. INSTALLATION FILE OWNERSHIP.
>
> The webserver user should be read and ownership of the necessary files
> should be changed to the webserver user when running make install.
Why? That seems like a serious security risk, leaving the web
application able to change the file-based configuration if exploited.
I think that is one thing which should be left to defaults, with the
sysadmin tightening things if needed.
> 2.4.2. KOHA-HTTPD.CONF.
>
> Using the ScriptAlias directives is considered a security vulnerability.
By whom? It's not mentioned in
http://httpd.apache.org/docs/2.2/howto/cgi.html
- in fact, it seems to suggest the reverse.
> Alias directives, rewrite rules or some other more secure method should be
> substituted for ScriptAlias directives.
Rewrite rules would add extra requirements for Koha hosting. Not sure
whether that's a problem or not.
Hope that helps,
--
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/