File: dpkg-www.8

package info (click to toggle)
dpkg-www 2.59
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 192 kB
  • sloc: sh: 1,596; makefile: 16
file content (391 lines) | stat: -rw-r--r-- 12,924 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
.\" Copyright © 2002, 2005 Massimo Dal Zotto <dz@debian.org>
.\"
.\" This is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\" This is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program.  If not, see <https://www.gnu.org/licenses/>.
.
.TH DPKG\-WWW 8 "2019-02-26"

.SH NAME
dpkg\-www, dpkg\-www-installer \- WWW Debian package browser

.SH SYNOPSIS
https://<hostname>/cgi-bin/dpkg

.SH DESCRIPTION
A typical Debian system can have hundreds installed packages and thousands
available for installation. Information about installed and available
packages can usually be obtained with the
.BR dpkg (1)
command, but navigating through the package dependencies and the
documentation files can be a very frustrating and time-consuming task.

.PP
With the
.B dpkg\-www
CGI you can instead browse Debian packages info with a web browser,
following package dependencies and locating documentation (man pages,
Info files, READMEs, and so on) with few mouse clicks. If you have
superuser privileges you can even install, upgrade or remove packages
from your web browser.
The output provided by
.B dpkg\-www
is basically that of
.BR dpkg (1)
with the addition of HREF's for packages dependencies and documentation
files.

.PP
The CGI program can take an optional query argument which can be given in
the URL or entered in the query field of the html form. This can be:
.IP <empty>
list concisely all installed packages
.IP *\ (asterisk)
list concisely all installed and available packages
.IP <list\ of\ packages>
list concisely the requested packages
.IP <wildcard\ expession>
list concisely all packages whose name matches the expression, for
example '*image*' will find all packages which contain the string 'image'.
.IP <package>
list verbosely a package and, if the package is installed, all its files.
If the package is not installed and the web installation is enabled you
can install it by clicking on the 'Install' button. If the package is
installed you can remove it or upgrade to a new version, if available,
by clicking on the respective buttons.
.IP <absolute\ pathname>
list all the packages owners of a file. This can be used for example to find
which package installed a program.
.IP /<regexp>
list all the packages owners of a file. The regexp form can be used to find
which packages own a non installed file.
.IP <field>=<value>
list all the packages with control field matching value. If the field name is
omitted the value is searched in any control field. The default search is a
case-insensitive fixed substring match but it can be changed with the
.B GREP_DCTRL_OPTS
option in the config file.
This feature works only if the
.BR grep\-dctrl (1)
package is installed.
.IP ?\ (question\ mark)
show a concise help about the CGI usage.
.IP <space>\ (a\ single\ space)
print only the input form, for use from window-manager menus.

.SS Configuration
.B dpkg\-www
can be configured by the local system administrator via the optional
.I /etc/dpkg\-www.conf
file.
This file is a simple Bourne shell
.IR "" ( /bin/sh )
script that defines some or all the following variables
(defaults are used if the file doesn't exist, or doesn't define the variable):
.TP
.B CHECK_BUTTONS
If this option is enabled
.B dpkw\-www
will add a small 'install' check-button for each package shown in the package
list. Default is 0 (disabled) because the resulting interface is not very nice.
The use of this option is therefore not recommended.
.TP
.B INSTALL_BUTTON
If this option is set the 'Install' or 'Upgrade' and 'Remove' buttons will
be added to the verbose info of a package. By clicking on these button you
will start the installation of removal the package as described in the section
.B Web Installation.
Since this option can potentially introduce security holes it is disabled (0)
by default. Use at your own risk.
If the variable is set to "top" the button will be located before the file
list, default is the bottom of the page.
.TP
.B SHOW_LOCAL_FILES
If this variable is set, \fBdpkg\-www\fP will use file:/ style URL's to
access html files -- bypassing the CGI script. This is faster
on slow machines. Default is not defined, which means use local files
for connection from localhost and https:// URL's for remote connections.
.TP
.B CHECK_PACKAGE_VERSION
If this variable is set, \fBdpkg\-www\fP will check if a newer version
of an installed package is available.
On slow machines you may want to set this option to
false since it can considerably slow down the execution.
.TP
.B LIST_UNAVAILABLE
This option enables listing also unavailable packages in the packages list.
Disabled by default.
.TP
.B LIST_DOCUMENTATION
This option enables the display of references to documents registered with
.BR install\-docs (8)
to the detailed package info, providing a quick path to relevant package
documentation. Unfortunately this feature is not totally reliable because
currently there is no way to find documents registered by a package with
.BR install\-docs (8)
and the search is done with an ugly hack. Hopefully things will change in
woody. This option is enabled (1) by default.
.TP
.B FORCE_SSH_PASSWD
This option forces ssh passwd prompt for package installation on a remote host
even if an ssh agent holds the private key.
.TP
.B GREP_DCTRL_OPTS
These options are passed to
.BR grep-dctrl (1)
when doing a query by field. Default is "\-i" for case-insensitive fixed
substring match. See
.BR grep-dctrl (1)
for more info.
.TP
.B DPKG
Command providing the
.BR dpkg (1)
query functionalities. This can be
.BR dpkg (1)
or
.BR dlocate (1),
or
.BR auto .
Default is
.BR auto ,
meaning that the CGI will use
.BR dlocate (1)
if installed, otherwise revert to
.BR dpkg (1)
which should always be available on a Debian system. By specifying this
option you can force the use of one of the two program.
.TP
.B MAN
Manpage to HTML translation command. Can be
.BR dwww (7),
.B man2html
or
.B auto .
Default is
.BR auto ,
meaning that the CGI will use
.B man2thml
if installed, otherwise revert to
.BR dwww (7).
By specifying this option you can force the use of one of the two program.
.TP
.B DEBIAN_CONTENTS
Optional list of one or more
.I Contents\-xxx.gz
files mapping each file available in the Debian system to
the package from which it originates. If available these files are used
to find the owner packages of non installed files. This can be useful for
quickly finding the package to install when a needed command is missing.
.TP
.B BGCOLOR
background color of the HTML body.
.TP
.B DEBUG
Internal option used only for debugging. Disabled by default since it is
useless for normal users.
.TP
.B DWWW_PATH
Path on webserver to \fBdwww\fP(7) cgi-bin.
.TP
.B INFO2WWW_PATH
Path on webserver to \fBinfo2www\fP(1) cgi-bin.

.PP
The following is an exaple \fI/etc/dpkg-www.conf\fP file:

.PP
.in +2
# Enable install check-buttons in package list.
.br
CHECK_BUTTONS=0
.br

.br
# Enable install, upgrade and remove buttons in package info.
.br
INSTALL_BUTTON=1
.br

.br
# List registered package documentation.
.br
LIST_DOCUMENTATION=1
.br

.br
# Options passed to grep\-dctrl in queryPackagesByField()
.br
GREP_DCTRL_OPTS="\-i"
.br

.br
# Show local files directly. Automatically set.
.br
SHOW_LOCAL_FILES=auto
.br

.br
# Force ssh passwd prompt even if an ssh agent holds
.br
# the private key.
.br
FORCE_SSH_PASSWD=true
.br

.br
# List of Contents\-xxx.gz files, if available.
.br
DEBIAN_CONTENTS="
.br
\ \ \ \ \ \ \ \ /debian/dists/buster/Contents\-amd64.gz
.br
\ \ \ \ \ \ \ \ /debian/dists/buster-updates/Contents\-amd64.gz
\ \ \ \ \ \ \ \ /debian-security/dists/buster/updates/Contents\-amd64.gz"
.br

.br
# Dpkg command (dpkg|dlocate|auto). Automatically detected.
.br
# DPKG=auto
.br

.br
# Manpage conversion command (dwww|man2html|auto). Automatically detected.
.br
# MAN=auto
.br

.br
# HTML background color.
.br
# BGCOLOR="#c0c0c0"
.br

.br
# Enable CGI debugging. Not really useful.
.br
# DEBUG=1
.PP

.SS CGI access
The information provided by
.B dpkg\-www
and the ability to install or remove packages also remotely can potentially
give useful information to crackers and open security holes. For these reasons
access to this CGI program should be allowed only from localhost and trusted
hosts or domains. Unfortunately this configuration is dependent on the
particular installed web server.
The \fBdpkg\-www\fP package configures the \fBapache\fP
server, if installed, to allow access only from localhost. Other web servers
must be configured manually by the system administrator to restrict access
to trusted hosts. If you administer many Debian system on a local network
you may want to enable access to the CGI from your network and browse
packages on any host from any other machine.

.SS Web installation
If this option is enabled in the
.I /etc/dpkg\-www.conf
file, the 'Install', 'Upgrade' and 'Remove' buttons are added to the info
page of installed or uninstalled packages.
By clicking on this button the system administrator, or more precisely any
user who has the ability to become system administrator (since you don't
want to run a web browser as root!), will be able to install or remove a
package on the fly, provided he has properly configured his browser for web
installation.

.PP
For security reasons the installation is done entirely from the browser side,
so that you don't need to gain root privileges from the CGI program which is
run on the server. The only thing done on the server is to generate an
installation request which is downloaded to the browser for the execution,
which is started under control of the user and with his privileges.
The real installation is done by a small helper script run from the user's
browser when a document with content-type 'application/dpkg\-www\-installer'
is received from the web server. The helper script opens an XTerm on the
user's display and runs a script which becomes superuser, after asking the
root password, and execs an \fBapt\-get\fP(8) command to install the requested
packages.

.PP
The web browser must have been configured to handle the above content-type
by running the command "\fB/usr/sbin/dpkg\-www\-installer \-x \-f '%s'\fP",
which must obviously be installed also on the client side if installing
remotely.
If the
.B dpkg-www
package is not installed on the browser client you can simply
copy the script \fI/usr/sbin/dpkg\-www\-installer\fP and hope it works...

.PP
You can configure your
.B Firefox
browser from the General -> Application menu of the Preferences window.
You must add a new item with MIME type
"\fBapplication/dpkg\-www\-installer\fP"
and application "\fB/usr/sbin/dpkg\-www\-installer \-x \-f '%s'\fP".
This should add the following line to your Firefox mailcap file:
.PP
.in +2
application/dpkg\-www\-installer;/usr/sbin/dpkg\-www\-installer \-x \-f '%s'
.PP
The
.B dpkg\-www
web installation has been successfully tested only with
.BR Firefox .
With other web browsers it is untested and it may not work correctly.

.PP
In order to be able to install the packages the user must known the root
password asked for '\fBsu root\fP' when installing on the local server,
or have the ability to ssh as root to the remote host when installing
from a remote client.

.PP
From the security point of view, executing a web installation is functionally
equivalent to opening a shell in an XTerm, becoming superuser after having
supplied the proper password and running \fBapt\-get\fP(8) as root to install
or remove the required packages.
Starting this from the web could be potentially vulnerable to
man-in-the-middle (MITM) attacks, but since it requires a password on the
client it seems quite safe.
If you are really paranoid connect to a secure server from an SSL-enabled
browser.

.PP
The \fBdpkg\-www\fP web installation is not intended to replace the normal
use of \fBapt\-get\fP(8) from the shell.
It is provided only as a shortcut to allow the installation of a package
after having located it with the browser without needing to open a root
shell and run \fBapt\-get\fP(8) manually.
For normal package maintenance and system upgrade the use of
\fBapt\-get\fP(8) from the shell is recommended.

.SH ENVIRONMENT
.TP
.B DPKG_WWW_HOST
The hostname to use.

.SH FILES
.TP
.I /etc/dpkg-www.conf
Configuration file for \fBdpkg\-www\fP.
It is not necessary for this file to exist,
there are sensible defaults for everything.

.SH SEE ALSO
.BR dpkg (1),
.BR dwww (1),
.BR dwww (7),
.BR dlocate (1),
.BR man2html (8),
.BR grep\-dctrl (1).