Design With Crackers

Monday, 7 June 2010

A mod_userdir problem on Ubuntu and derived distros

Nobody Likes unpleasant surprises and I'm not different. The latest such surprise for me was a problem with Apache mod_userdir, namely that it doesn't work anymore as of Ubuntu Lucid Lynx.

For patronizing "security" reasons the maintainers of the affected packages thought it was valid to change the default behavior from what it was since the first release of the distribution. The precise nature of the issue is that they disabled PHP parsing for "~/public_html/". The details, along with their reasons and an explanation of how to fix it are here.

What strikes me as the worst part of this whole issue is this extremely offensive to web developers piece of flawed reasoning
"Security note: Running PHP scripts in users' home directories was not disabled for a frivolous reason -- PHP is a full programming language, and as such, can be used by attackers in nefarious ways. Ideally, the PHP engine should only be enabled for users you (the system administrator) trust, and even then sparingly."
Anyone that willfully installs the PHP interpreter on it's system knows not to run scripts written by unverified/untrusted third parties without inspecting them first, period. If you have a multi-user environment, and you want to restrict who can do such and such things, the onus is on you to implement it as you see fit. Because of this whole mess I lost an entire hour of my day:
  1. 15 minutes checking my development enviroment installation procedure, because, as Jeff Atwood says: "It's always your fault".
  2. Another 15 minutes sanity checking all the obvious configuration files, just to discover that they are all ok.
  3. Lastly, I wasted 30 minutes reading dozens of Google search results (mostly forum posts at ubuntuforum.org) until I finally stumbled onto the Ubuntu Wiki link.
NOTE: I'm that odd kind of guy who actually READS the release notes from an update to his OS before moving to the new version. No warning about this change was to be found there.

This is just stupid.

Labels: , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home