After portupgrading horde, the config file /usr/local/www/horde/config/conf.php is replaced by a default one which allows full admin access to horde for everyone. Although the install script kindly renames my customized config file to 'conf.php.previous' so i do not have to restore it from backup, i consider it a grave security bug, when after the upgrade everyone is greeted "Welcome Administrator". I upgraded to horde-3.0.6 Fix: The install script should not replace the customized config files, rather install the package provided ones as 'conf.php.new' or such, so the admin can merge by hand.
Responsible Changed From-To: freebsd-ports-bugs->thierry Over to maintainer
State Changed From-To: open->closed I have committed a patch which should do what you expect. Thanks for the report!
Sorry, the problem persists with horde-3.0.7. Still the default config file is installed inviting everyone as administrator. The install reports: ---> /usr/local/www/horde/config/conf.php not installed *** ---> please copy from /usr/local/www/horde/config/conf.php.previous *** ---> or from /usr/local/www/horde/config/conf.php.new *** ---> /usr/local/www/horde/config/mime_drivers.php not installed *** ---> please copy from /usr/local/www/horde/config/mime_drivers.php.previous *** ---> or from /usr/local/www/horde/config/mime_drivers.php.new *** but this is not true. /usr/local/www/horde/config/conf.php *IS* installed. Regards, Heinrich Rebehn
Le Ven 25 nov 05 à 12:50:07 +0100, Heinrich Rebehn <rebehn@ant.uni-bremen.de> écrivait : > The following reply was made to PR ports/88621; it has been noted by GNATS. > > From: Heinrich Rebehn <rebehn@ant.uni-bremen.de> > To: bug-followup@FreeBSD.org, rebehn@ant.uni-bremen.de > Cc: > Subject: Re: ports/88621: "portupgrade horde" overwrites config file > Date: Fri, 25 Nov 2005 12:41:10 +0100 > > Sorry, the problem persists with horde-3.0.7. > Still the default config file is installed inviting everyone as > administrator. > > The install reports: > ---> /usr/local/www/horde/config/conf.php not installed *** > ---> please copy from > /usr/local/www/horde/config/conf.php.previous *** > ---> or from /usr/local/www/horde/config/conf.php.new > *** > ---> /usr/local/www/horde/config/mime_drivers.php not installed *** > ---> please copy from > /usr/local/www/horde/config/mime_drivers.php.previous *** > ---> or from > /usr/local/www/horde/config/mime_drivers.php.new *** > > but this is not true. /usr/local/www/horde/config/conf.php *IS* installed. Are you sure? I cannot reproduce it: just before the lines ---> /usr/local/www/horde/config/conf.php not installed *** ---> please copy from /usr/local/www/horde/config/conf.php.previous *** ---> or from /usr/local/www/horde/config/conf.php.new are echoed, pkg_install does `mv conf.php conf.php.new'. Just conf.xml should be installed. However, there still exists a problem: if there is no conf.php or just the default one is the same for Horde, and the first person is greeted as Administrator. We have to find a better solution. Regards, -- Th. Thomas.