Thomas Biege wrote:
Am Donnerstag, 21. April 2011, 14:39:13 schrieb Ludwig Nussel:
Ralf Lang wrote:
while packaging horde4 I noticed the rpmlint warning horde4.noarch: W: non-etc-or-var-file-marked-as-conffile /srv/www/htdocs/horde4/config/conf.php.dist
If config files are allowed to live in /var (where web apps used to live in old times) why are they not allowed in /srv ?
Good topic. Why do web apps not adhere to the traditional layout we are used to anyways? /srv is a mess. It mixes vendor files with user files, config files with static data, binaries with state databases etc. This is not specific to horde of course but let's use it as example. Why not keep the default document root /srv/www/htdocs clean and put horde to e.g. /usr/share/horde4, it's config files to /etc/horde4 and it's database or whatever variable data it has to /var/lib/horde4?
From my POV web-apps aren't stand-alone applications but script files for an interpreter used by apache2. Therefore I see no problem having all files under DocumentRoot.
The document root mixes user provided content with distro content which makes it hard to create useful backups.
It also makes it easier to confine web-apps without giving an attacker access to /etc.
Isn't that an argument pro using /etc? So an attacker that gained access to the document root can't read or even modify the config file? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org