[Xapian-devel] Omega changes

Olly Betts olly at survex.com
Tue Dec 21 11:17:41 GMT 2004


On Sun, Dec 19, 2004 at 06:20:09PM +0000, James Aylett wrote:
> On Fri, Dec 17, 2004 at 05:53:18PM +0000, Olly Betts wrote:
> 
> > If this is really the problem you seem to think, so is storing your
> > databases, templates, and log files in the default locations.  I could
> > see more of an argument here if omega.conf were to contain values which
> > didn't have defaults.
> 
> Aren't the defaults system-wide defaults? In which case it's only of
> use there if you're the system admin, in which case I'd hope you can
> keep (a) make your own security decisions, and (b) keep your
> permissions in order. Many users in providing hosting environments
> can't do this, and I tend to get worried about them.

I think we can only go so far along such a road.  We shouldn't just make
everything harder to use just because we're worried that someone will
ignore common sense and the documentation.  A balance needs to be struck
- you shouldn't deliberately go around creating traps for the unwary,
but good tools sometimes need to be sharp...

> > Note also that this configuration file has to be readable by the user
> > the http server runs as, so anyone who can put dynamic content such as
> > CGI scripts or PHP on the server (legitimately or via a hole) will be
> > able to read it.  Even not knowing the pathname is little obstacle
> > if you can put content on the server.
> 
> You have to get pretty devious if the only thing you can run in the
> environment is CGI/PHP (because of execution time limits).

A find job may well be too slow, but locate most likely isn't, and an
interactive browser isn't either.  Even find may be quick enough once
lots is cached, so rerunning it a few times may stop it timing out.

Cheers,
    Olly




More information about the Xapian-devel mailing list