icinga-packaging icon indicating copy to clipboard operation
icinga-packaging copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Icingaweb2 RPM places apache user in icingaweb2 group

Open basg opened this issue 4 years ago • 3 comments

It seems that RPM package icingaweb2 adds the user apache to groups icingacmd and icingaweb2.

$ rpm -q --scripts icingaweb2
preinstall scriptlet (using /bin/sh):
getent group icingacmd >/dev/null || groupadd -r icingacmd
usermod -a -G icingacmd,icingaweb2 apache
exit 0

If I'm correct, this should not be necessary, and may even impose a security risk.

basg avatar May 22 '20 13:05 basg

We need to test and verify this.

htriem avatar Sep 08 '21 15:09 htriem

Yes, please, there is absolutely no need for this. It may be an artifact from legacy mod_php setups using cmdpipe?

prupert avatar Sep 09 '21 08:09 prupert

Yes, please, there is absolutely no need for this. It may be an artifact from legacy mod_php setups using cmdpipe?

It's not an artefact, all recent packages still add the Apache user to that group, as there may still be someone out there using cmdpipe instead of the API, even if it's already deprecated. However, we should consider in removing this from future releases, and if someone still uses cmdpipe, they will have to add it to that group themselves.

yhabteab avatar Apr 04 '24 12:04 yhabteab