[security advisory] http://wiki.nginx.org/Redmine

[Gena Makhomed]

On 10.03.2015 0:50, Francis Daly wrote:

>> even more, redmine documentation:
>> http://www.redmine.org/projects/redmine/wiki/HowTo_install_Redmine_on_CentOS_5
>> RECOMMENDS to install redmine into /var/www/redmine
>> see: "Configure /var/www/redmine/config/database.yml"
>
> Yes, that url shows redmine installed to /var/www/redmine.
>
> In that case, the nginx "root" should be /var/www/redmine/public.

http://wiki.nginx.org/Redmine now fixed and provides correct info.

> Perhaps it will be useful for someone to note that the "root" directive
> value in nginx must be the root directory of the redmine web content,
> which is the "public" directory of the redmine distribution. That appears
> not to have been clear on the nginx wiki page.

Current nginx redmine config example at wiki is more safe, because
even in case of "ln -s /var/lib/redmine/public /var/www/redmine"
and "root /var/www/redmine/public;" in the nginx config
- all should work fine, without any security vulnerabilities.

And Debian users probably easy can guess what
they should replace "root /var/www/redmine/public;"
with "root /var/www/redmine;" because /var/www/redmine
is symlink to /var/lib/redmine/public in their install.

>> redmine documentation at redmine site recomments install
>> entire redmine into /var/www/redmine directory, not only public content.
>
> The redmine installation instructions are something that the redmine
> people might be interested in making more consistent.

May be this is Debian-way, make symlinks to only "static" files
inside /var/www ? And all other services in Debian configured
in the same way? So redmine can't break Debian packaging rules?

And all other UNIX-like OS and distros do not have such requirements
about creating such useless and potentially dangerous symlinks?
Dangerous, - if nginx configured with "disable_symlinks on;"

-- 
Best regards,
  Gena