Icingaweb2 RPM places apache user in icingaweb2 group

[basg]

It seems that RPM package icingaweb2 adds the user apache to groups icingacmd and icingaweb2.

$ rpm -q --scripts icingaweb2
preinstall scriptlet (using /bin/sh):
getent group icingacmd >/dev/null || groupadd -r icingacmd
usermod -a -G icingacmd,icingaweb2 apache
exit 0

If I'm correct, this should not be necessary, and may even impose a security risk.

[htriem]

We need to test and verify this.

[prupert]

Yes, please, there is absolutely no need for this. It may be an artifact from legacy mod_php setups using cmdpipe?

[yhabteab]

Yes, please, there is absolutely no need for this. It may be an artifact from legacy mod_php setups using cmdpipe?

It's not an artefact, all recent packages still add the Apache user to that group, as there may still be someone out there using cmdpipe instead of the API, even if it's already deprecated. However, we should consider in removing this from future releases, and if someone still uses cmdpipe, they will have to add it to that group themselves.