During install of net-analyzer/cacti-0.8.2a (it is also existent in previous versions) the whole directory of cacti will be assigned to the apache owner and group. This could allow a remote user to modify or add files in this directory. I see no need in this. A better approach would be a cacti system user to own these files by default. Run the 'php cmd.php' in his crontab. Furthermore add a symbolic link in /etc/cacti/config.php to <cacti_home>/include/config.php (like phpmyadmin does) Reproducible: Always Steps to Reproduce: 1. 2. 3.
i changed this once (Bug 20686) ... php guys, what do you think ?
It's a web app, right? For now, it's directories should be owned by the apache user, until we've made more progress on the webapps eclass. Definitely don't think it should have its own user. However, the idea of having a 'webapps' user so that apache can only access the files read-only even if cracked is a good one. What's wrong with installing it and making the directories read-only? Best regards, Stu
please don't forget adding the at least a comment on the crontab or mentioning the official install docs (http://www.raxnet.net/products/cacti/docs/INSTALL.htm), if you don't have decided on the user issue. thx, - Nikl
Off topic but.. cacti 0.8.3 released (Development branch) The changes in this release are as follows: This version focuses on numerous bugfixes and several feature enhancements. Some of the features include bandwidth summation, the ability to add hosts to graph trees, a new DHTML-based tree view, and a new overall look. The c-based poller (cactid) has been heavily modified to be more efficient and reliable.
We'll be able to fix this more easily once the new web-app tools are done. Suggest re-visiting this bug then. I've marked this as LATER. We *will* come back to this as soon as possible. Best regards, stu
