dpkg-www, dpkg-www-installer - WWW Debian package browser
A typical Debian system can have hundreds installed packages and thousands
available for installation. Information about installed and available packages
can usually be obtained with the dpkg(1)
command, but navigating
through the package dependencies and the documentation files can be a very
frustrating and time-consuming task.
With the dpkg-www
cgi you can instead browse Debian packages info with a
WEB browser, following package dependencies and locating documentation (man
pages, Info files, READMEs, and so on) with a few mouse clicks. If you have
superuser privileges you can even install, upgrade or remove packages from
your WEB browser. The output provided by dpkg-www
is basically that of
with the addition of HREF's for packages dependencies and
The cgi program can take an optional query argument which can be given in the
URL or entered in the query field of the html form. This can be:
- list concisely all installed packages
- * (asterisk)
- list concisely all installed and available packages
- <list of packages>
- list concisely the requested packages
- <wilcard expession>
- list concisely all packages whose name matches the
expression, for example `*image*' will find all packages which contain the
- list verbosely a package and, if the package is installed,
all its files. If the package is not installed and the WEB installation is
enabled you can install it by clicking on the `Install' button. If the
package is installed you can remove it or upgrade to a new version, if
available, by clicking on the respective buttons.
- <absolute pathname>
- list all the packages owners of a file. This can be used
for example to find which package installed a program.
- list all the packages owners of a file. The regexp form can
be used to find which packages own a non installed file.
- list all the packages with control field matching value. If
the field name is omitted the value is searched in any control field. The
default search is a case-insensitive fixed substring match but it can be
changed with the GREP_DCTRL_OPTS option in the config file. This
feature works only if the grep-dctrl package is installed.
- ? (question mark)
- show a concise help about the cgi usage.
- <space> (a single space)
- print only the input form, for use from window-manager
dpkg-www can be configured by the local system administrator via the optional
file. This file is a simple Bourne shell
) script that defines some or all the following
variables (defaults are used if the file doesn't exist, or doesn't define the
- If this option is enabled dpkw-www will add a small
`install' check-button for each package shown in the package list. Default
is 0 (disabled) because the resulting interface is not very nice. The use
of this option is therefore not recommended.
- If this option is set the `Install' or `Upgrade' and
`Remove' buttons will be added to the verbose info of a package. By
clicking on these button you will start the installation of removal the
package as described in the section WEB Installation. Since this
option can potentially introduce security holes it is disabled (0) by
default. Use at your own risk. If the variable is set to "top"
the button will be located before the file list, default is the bottom of
- If this variable is set, dpkg-www will use file:/ style
URL's to access html files -- bypassing the cgi script. This is faster on
slow machines. Default is not defined, which means use local files for
connection from localhost and http:// URL's for remote connections.
- If this variable is set, dpkg-www will check if a newer
version of an installed package is available. On slow machines you may
want to set this option to false since it can considerably slow down the
- This option enables listing also unavailable packages in
the packages list. Disabled by default.
- This option enables the display of references to documents
registered with install-docs(8) to the detailed package info,
providing a quick path to relevant package documentation. Unfortunately
this feature is not totally reliable because currently there is no way to
find documents registered by a package with install-docs and the
search is done with an ugly hack. Hopefully things will change in woody.
This option is enabled (1) by default.
- This option forces ssh passwd prompt for package
installation on a remote host even if an ssh agent holds the private
- These options are passed to grep-dctrl(1) when doing
a query by field. Default is "-i" for case-insensitive fixed
substring match. See grep-dctrl(1) for more info.
- Command providing the dpkg(1) query functionalities.
This can be dpkg or dlocate , or auto . Default is
auto, meaning that the cgi will use dlocate if installed, otherwise
revert to dpkg which should always be available on a Debian system.
By specifying this option you can force the use of one of the two
- Manpage to HTML translation command. Can be dwww ,
man2html or auto . Default is auto, meaning that the cgi
will use man2thml if installed, otherwise revert to dwww .
By specifying this option you can force the use of one of the two
- Optional list of one or more Contents-xxx.gz files
mapping each file available in the Debian GNU/Linux system to the package
from which it originates. If available these files are used to find the
owner packages of non installed files. This can be useful for quickly
finding the package to install when a needed command is missing.
- background color of the HTML body.
- internal option used only for debugging. Disabled by
default since it is useless for normal users.
- path on webserver to dwww cgi-bin.
- path on webserver to info2www cgi-bin.
The following is an exaple /etc/dpkg-www.conf file:
# Enable install check-buttons in package list.
# Enable install, upgrade and remove buttons in package info.
# List registered package documentation.
# Options passed to grep-dctrl in queryPackagesByField()
# Show local files directly. Automatically set.
# Force ssh passwd prompt even if an ssh agent holds
# the private key.
# List of Contents-xxx.gz files, if available.
# Dpkg command (dpkg|dlocate|auto). Automatically detected.
# Manpage conversion command (dwww|man2html|auto). Automatically detected.
# HTML background color.
# Enable cgi debugging. Not really useful.
The information provided by dpkg-www
and the ability to install or remove
packages also remotely can potentially give useful information to crackers and
open security holes. For these reasons access to this cgi program should be
allowed only from localhost and trusted hosts or domains. Unfortunately this
configuration is dependent on the particular installed WEB server. The
dpkg-www package configures the apache server, if installed, to allow access
only from localhost. Other WEB servers must be configured manually by the
system administrator to restrict access to trusted hosts. If you administer
many Debian system on a local network you may want to enable access to the cgi
from your network and browse packages on any host from any other machine.
If this option is enabled in the /etc/dpkg-www.conf
file, the `Install',
`Upgrade' and `Remove' buttons are added to the info page of installed or
uninstalled packages. By clicking on this button the system administrator, or
more precisely any user who has the ability to become system administrator
(since you don't want to run a web browser as root!), will be able to install
or remove a package on the fly, provided he has properly configured his
browser for WEB installation.
For security reasons the installation is done entirely from the browser side, so
that you don't need to gain root privileges from the cgi program which is run
on the server. The only thing done on the server is to generate an
installation request which is downloaded to the browser for the execution,
which is started under control of the user and with his privileges. The real
installation is done by a small helper script run from the user's browser when
a document with content-type `application/dpkg-www-installer' is received from
the web server. The helper script opens an XTerm on the user's display and
runs a script which becomes superuser, after asking the root password, and
execs an apt-get command to install the requested packages.
The WEB browser must have been configured to handle the above content-type by
running the command "/usr/sbin/dpkg-www-installer -x -f '%s'", which
must obviously intalled also on the client side if installing from remote. If
the dpkg-www package is not installed on the browser client you can simply
copy the script /usr/sbin/dpkg-www-installer and hope it works...
You can configure your Netscape.
browser from the Navigator ->
Application menu of the Preferences window. You must add a new item with MIME
type "application/dpkg-www-installer" and application
"/usr/sbin/dpkg-www-installer -x -f '%s'". This should add the
following line to your Netscape mailcap file:
application/dpkg-www-installer;/usr/sbin/dpkg-www-installer -x -f '%s'
The dpkg-www WEB installation has been successfully tested only with
With other WEB browsers it is untested and it may not work
In order to be able to install the packages the user must known the root
password asked for `su root' when installing on the local server, or have the
ability to ssh as root to the remote host when installing from a remote
From the security point of view, executing a WEB installation is functionally
equivalent to opening a shell in an XTerm, becoming superuser after having
supplied the proper password and running apt-get as root to install or remove
the required packages. Starting this from the WEB could be potentially
vulnerable to man-in-the-middle attacks, but since it requires a password on
the client it seems quite safe. If you are really paranoid connect to a secure
server from an SSL-enabled browser.
The dpkg-www WEB installation is not intended to replace the normal use of
apt-get from the shell. It is provided only as a shortcut to allow the
installation of a package after having located it with the browser without
needing to open a root shell and run apt-get manually. For normal package
maintenance and system upgrade the use of apt-get from the shell is
- Configuration file for dpkg-www. It is not necessary for
this file to exist, there are sensible defaults for everything.
Massimo Dal Zotto <firstname.lastname@example.org>.
Bugs should be reported via the normal Debian bug reporting system.
dpkg-www is licensed under the GNU General Public License version 2.