Re: [be] Packages (bibledit-web) status, database security, and more comments

[Jonathan Marsden]

Teus,

I now have a hacked-up bibledit-web 0.2 package that more-or-less does
what the source install does, and installs on a test virtual server.
But it's much too rough to release, it breaks many rules, and won't even
build in a PPA, never mind in the official builders.

A few more comments and questions arising from this:

DATABASE CREATION vs DATABASE USE:

I am rather alarmed to find that the bibledit-web code seems to make no
distinction between the database user/pw needed to create the bibledit
database and its tables, at install time, and the one used at runtime to
work with those tables.  Am I understanding this correctly?

By default, this leads to the bibledit-web database code using the
all-powerful DBA user (root) at run-time, and storing that username and
*password* in plain text in a configuration file.  Worse still, the
default password is "root", and (even worse!) that configuration file is
set to mode 0777, so absolutely any user on the server can read it, and
then use it to do absolutely anything they want with any MySQL database
on that database server.

I believe this is a significant security issue.  On my web servers
(servers I admin, not servers I own!), a single MySQL server instance
can contain databases for 100-200 independently owned web sites... the
bibledit-web 0.2 installation in effect gives *every* user on the server
full access to *every* *single* *one* of those databases! (I didn't
install bibledit-web on a production server, so no harm done, I'm just
pointing out how bad this would be in production use!).

I think the right solution is for the code to distinguish very clearly
between (a) the DBA username and pw, and (b) the runtime
bibletime-specific user and pw.  (a) is prompted for and used only once,
at install time, to create the bibledit database and the runtime user
and pw. It is never stored anywhere on disk.  (b) is then used to create
the tables, and then to access the information in database, by
bibledit-web at runtime.  It is stored in a config file (readable only
by the user running the bibledit virtualhost, but not by others!).

I have not checked whether this issue is fixed in the latest git
development code; I probably should :)

LIBRARIES:

Is there a list somewhere of what libraries are needed by bibledit-web,
or are incorporated as copies (or modified copies) within it?  So far I
have found:

 * jquery
 * jwysiwyg (a plugin for jquery)
 * smarty
 * a modified copy of part of zendframework

Are there any more?  At least the non-modified ones have to be packaged
separately, if packaged versions of them don't already exist.  And I'll
have to look at the modified ZendFramework code and see how best to
proceed there.  The INSTALL file might be a reasonable place to put this
kind of information.

Jonathan