Spec Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB.spec SRPM Name or Url: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-1.src.rpm Description: phpBB is a highly popular web-based forum ("bulletin board") system using PHP and a database backend such as PostgreSQL, MySQL, ODBC, and others. (Without one of these, phpBB will not function.) It has many advanced features such as versatile users/groups permissions management, theoretically limitless forums, categories, and posts, a private messaging system among users, a highly customizable style, and a simple but extensive administrative control panel. With this package, rpmlint complains a little. Two points: Firstly, it gives an error that the scripts do not have shebangs. Since these are PHP scripts meant to be run through mod_php (provided by the php package), this seems safe to ignore. E: phpBB script-without-shellbang /var/www/phpBB2/admin/admin_forums.php E: phpBB script-without-shellbang /var/www/phpBB2/language/lang_english/lang_main.php [...etc...] Secondly, it complains that there is an htaccess file in the distribution: E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess This is where phpBB stores it cache data, and this .htaccess file explicitly disallows any direct requests for those files. Thus, this seems reasonable to ignore, also. I've tested this on FC4, and mock builds to test it on FC5 and Devel are currently running on my workstation (though it seems like there should be no problem). Thanks.
(In reply to comment #0) > Firstly, it gives an error that the scripts do not have shebangs. Since these > are PHP scripts meant to be run through mod_php Do they need to be executable then? See rpmlint -I script-without-shellbang
Hi, Ville. I forgot that the scripts themselves only need be readable in this case. I've uploaded a second release with this fixed, and I also included the cache's .htaccess limits in the global httpd phpBB config file. Source RPM: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-2.src.rpm Spec: http://www.thecodergeek.com/downloads/fedora/phpBB.spec Thanks for your time.
Has this code been audited for security? Personally I don't want Extras supplying a known-bad piece of software in an easy-to-install (and therefore break) form.
phpBB is pretty well maintained and has undergone quite a bit of scrutiny. Obviously we shouldn't add known-broken packages to Extras, but I don't think it's the submitter's job to do a full security audit on every package. At some point we have to trust upstream to do their job. However, because of its securityh-sensitive status, this is certainly one of those packages that should have a backup maintainer (or two) so that any necessary updates are released as quickly as possible.
To me phpBB is like the sendmail of the php forum thingies (with less features than some of the ofthers). and fedora still ships sendmail...
Well, even though phpBB does seem to contain many vulnerabilities, upstream is very good about releasing fixes or patches for these; and it is my intent to keep up to date with upstream releases including these security fixes and/or patch it myself if needed. I'd be happy to take on this package with a couple of other maintainers, as needed. (To be honest, I think that's probably a good idea.) Thanks.
> Secondly, it complains that there is an htaccess file in the distribution: > E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess > This is where phpBB stores it cache data, and this .htaccess file explicitly > disallows any direct requests for those files. Thus, this seems reasonable > ignore, also. By default httpd.conf doesn't allow htaccess overrides, so the effectiveness of this .htaccess is not great. I am pretty sure this directory doesn't need to be in a web accessible directory at all. You could patch the default directory so that it uses someplace like /var/cache/phpbb instead (not sure, I haven't tested this)? About PHPBB security, it is actively maintained, but has a long history of repeated security holes. I've seen many Linux servers become compromised by script kiddies due to past PHPBB holes. If PHPBB gets into Fedora, the maintainer(s) *MUST* be vigilant in updating the package quickly when upstream makes a new release.
Another option would be to put those explicit disallows into a /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or worse idea than my last comment.
(In reply to comment #8) > Another option would be to put those explicit disallows into a > /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or > worse idea than my last comment. That's one thing I changed in release 2. :)
Actually, I've been discussing this with a couple of my friends and based on phpBB's track record of vulnerabilities, it may be for the best *not* to package it in Extras until it can be properly audited and whatnot. I'll close this as WONTFIX. Have a nice evening, all.