Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page

To: M.Drochner%fz-juelich.de@localhost
Subject: Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page
From: Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Date: Mon, 02 Feb 2009 20:23:51 +0200


Hi,

I have built the software by simple 'make install'

It has installed and the software, and also i copied/usr/pkg/share/examples/rc.d/privoxy to /etc/rc.d/privoxyI started the software by '#/etc/rc.d/privoxy onestart' (then i insertedprivoxy=yes) to rc.conf


All fine.

There are privoxy rules at /usr/pkg/etc/privoxy/*

I edited rules by vi as root as i wish, and then i did '#chmod 660/usr/pkg/etc/privoxy/*' and '#chown root:wheel /usr/pkg/etc/privoxy/*'

Now all rules should be safe, only editable to wheel users.

Now, what confused me is that;

1- As normal user, start a browser; ie firefox; and adjust its settingsso that it uses 8118 port as http proxy2- Type 'p.p' in address bar so that you can reach privoxyadministration page.

3- Now try to edit rules!

Rules are editable although all are root:wheel and chmod 660 while i'm anormal user and not in wheel group (nor privoxy user in wheel group)

Question: Why privoxy service run as privoxy:wheel instead ofprivoxy:privoxy? Is this expected behaviour?


Regards,
Cem





Matthias Drochner, 02/02/09 18:03:

Can you please describe at which point you think user/group are ignored,
at build time or at run time?
For me, everything looks as intended:
[from the pkg src dir]
$ more work.zelz27/privoxy-3.0.10-stable/config.status
[...]
# ./configure  --localstatedir=/var --sysconfdir=/usr/pkg/share/examples/privox
y

--with-user=privoxy --with-group=privoxy --prefix=/usr/pkg--host=i386--netbsde

lf --mandir=/usr/pkg/man
[...]
$ id privoxy
uid=1004(privoxy) gid=1002(privoxy) groups=1002(privoxy)
$ ps ax -o uid,gid,command|grep privoxy
1004 1002 /usr/pkg/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy /
$ ls -l /usr/pkg/etc/privoxy/config
-rw-rw----  1 privoxy  privoxy  42509 Jan 22 14:25 /usr/pkg/etc/privoxy/config

PS: Please upgrade this software to latest 3.0.10 too


I've done this locally, but we should understand your problem first
to make sure there is no serious security flaw.

best regards
Matthias




-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

References:
- Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page
  - From: Matthias Drochner

Prev by Date: Re: pkg/34745 (databases/db3 can't build on Bluewall GNU/Linux)
Next by Date: Re: pkg/40532: privoxy ignores user:group and has wheel permissionsand so everyone accessing privoxy admin page
Previous by Thread: Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page
Next by Thread: Re: pkg/40532: privoxy ignores user:group and has wheel permissionsand so everyone accessing privoxy admin page
Indexes:

Home | Main Index | Thread Index | Old Index