[El] Mapserver binary path and some possible security issues
Peter Hopfgartner
peter.hopfgartner at r3-gis.com
Sat Apr 16 03:16:08 EDT 2011
--------Volker Fröhlich <volker27 at gmx.at> wrote--------
Subject: [El] Mapserver binary path and some possible security issues
Date: 15.04.2011 21:44
>Dear list readers!
>
Hi, Volker
>The mapserver binary currently goes to %{_sbindir}. This does not comply
>with
>the File Hierarchy Standard and was considered a serious security problem
>as
>well, being discussed on #fedora-devel.
>
I agree, having a CGI executable in %{_sbindir} never seemed a good fit to me. Where do other packages store the executables that are called through CGI? Bugzilla?
>Much rather, the binary should go to %{_libexecdir}. Please see:
>
>http://www.pathname.com/fhs/pub/fhs-2.3.html#SBINSYSTEMBINARIES
>http://fedoraproject.org/wiki/PackagingGuidelines#Libexecdir
>
A better place, then %{_sbindir}, for sure. Looking at the Ubuntu package, they plave mapserv in /usr/lib/cgi-bin/.
>I'm aware, this path is also wrong in Fedora, but I don't feel like
>taking all
>the load of the world on my back, since this is none of my packages in
>Fedora.
>
>Besides that, you might be interested in this ticket:
>https://bugzilla.redhat.com/show_bug.cgi?id=617301
>
Reading through http://trac.osgeo.org/mapserver/ticket/3485 it seems that this was fixed as of 5.6.4, which was the reason why we decided to update the mapserver package very quickly, when that version came out.
>I haven't cross-checked whether you patch this out, but the Fedora
>package is
>not really active, hence I tell you.
>
>Volker Fröhlich
Thanks for your feedback,
Peter
R3 GIS Srl - GmbH
http://www.r3-gis.com
>_______________________________________________
>el mailing list
>el at lists.osgeo.org
>http://lists.osgeo.org/mailman/listinfo/el
>
More information about the el
mailing list