|

»

Bug#555129: (no subject)

View: New views

5 Messages — Rating Filter: Alert me

	Bug#555129: (no subject) by Julien Valroff :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Subject: apache2-suexec: Should not set document root to /var/www - violates the FHS Package: apache2-suexec Version: 2.2.14-2 Justification: Policy 9.1.1 Severity: serious Hi, apache2-suexec is built with the following configure option: --with-suexec-docroot=/var/www This is not one of the /var directories in the File Hierarchy Standard and is under the control of the local administrator. Packages should not assume that it is the document root for a web server; it is very common for users to change the default document root and packages should not assume that users will keep any particular setting. Even http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl, which suggests /var/www should be used if unavoidable, states that this place can be a symlink to the location where the system administrator has put the real document root. If I am right, suexec doesn't allow symlinks for security reasons. Please also see the discussion at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553498 which explains why I open this bug. Cheers, Julien -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Bug#555129: Should not set document root to /var/www - violates the FHS by Stefan Fritsch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message severity 555129 wishlist severity 553498 wishlist thanks On Sunday 08 November 2009, Julien Valroff wrote: > This is not one of the /var directories in the File Hierarchy > Standard and is under the control of the local administrator. Manoj, both apache2-suexec and dspam-webfrontend are following the policy's recommendation. How can this be a serious bug? > Even > http://www.debian.org/doc/debian-policy/ch-customized-programs.htm > l#s-web-appl, which suggests /var/www should be used if > unavoidable, states that this place can be a symlink to the > location where the system administrator has put the real document > root. If I am right, suexec doesn't allow symlinks for security > reasons. Suexec should work fine if /var/www itself is a symlink. I completely agree that the current situation is not optimal. But I don't see a better choice for the suexec document root. Of course, any alternative must not introduce local privilege escalation vulnerabilities (like using "/" does). Cheers, Stefan -- To UNSUBSCRIBE, email to debian-apache-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Processed: Re: Bug#555129: Should not set document root to /var/www - violates the FHS by Debian Bug Tracking System :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Processing commands for control@...: > severity 555129 wishlist Bug #555129 [apache2-suexec] Should not set document root to /var/www - violates the FHS Severity set to 'wishlist' from 'serious' > severity 553498 wishlist Bug #553498 [dspam-webfrontend] dspam-webfrontend: dir-or-file-in-var-www /var/www/dspam/admin.cgi and 6 others Severity set to 'wishlist' from 'serious' > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-apache-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Bug#555129: Should not set document root to /var/www - violates the FHS by Manoj Srivastava :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, Nov 08 2009, Stefan Fritsch wrote: > severity 555129 wishlist > severity 553498 wishlist > thanks > > On Sunday 08 November 2009, Julien Valroff wrote: >> This is not one of the /var directories in the File Hierarchy >> Standard and is under the control of the local administrator. > > Manoj, both apache2-suexec and dspam-webfrontend are following the > policy's recommendation. How can this be a serious bug? Because it violates the FHS -- and it would be at odds with the forthcoming web applications policy. Are you sure access to the document root is unavoidable? manoj -- Biz is better. Manoj Srivastava <srivasta@...> <http://www.debian.org/~srivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to debian-apache-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Bug#555129: Should not set document root to /var/www - violates the FHS by Stefan Fritsch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Monday 09 November 2009, Manoj Srivastava wrote: > Because it violates the FHS -- and it would be at odds with > the forthcoming web applications policy. Are you sure access to > the document root is unavoidable? > Well, it has the document root compiled in, allows only one document root, and doesn't follow symlinks to outside of the document root. That makes it pretty hard. Maybe it is possible to find a solution, but it is not obvious. And it would have to be checked for security issues. -- To UNSUBSCRIBE, email to debian-apache-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...