pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page


I have built the software by simple 'make install'
It has installed and the software, and also i copied /usr/pkg/share/examples/rc.d/privoxy to /etc/rc.d/privoxy I started the software by '#/etc/rc.d/privoxy onestart' (then i inserted privoxy=yes) to rc.conf

All fine.

There are privoxy rules at /usr/pkg/etc/privoxy/*
I edited rules by vi as root as i wish, and then i did '#chmod 660 /usr/pkg/etc/privoxy/*' and '#chown root:wheel /usr/pkg/etc/privoxy/*'
Now all rules should be safe, only editable to wheel users.

Now, what confused me is that;

1- As normal user, start a browser; ie firefox; and adjust its settings so that it uses 8118 port as http proxy 2- Type 'p.p' in address bar so that you can reach privoxy administration page.
3- Now try to edit rules!

Rules are editable although all are root:wheel and chmod 660 while i'm a normal user and not in wheel group (nor privoxy user in wheel group)

Question: Why privoxy service run as privoxy:wheel instead of privoxy:privoxy? Is this expected behaviour?


Matthias Drochner, 02/02/09 18:03:
Can you please describe at which point you think user/group are ignored,
at build time or at run time?
For me, everything looks as intended:
[from the pkg src dir]
$ more work.zelz27/privoxy-3.0.10-stable/config.status
# ./configure  --localstatedir=/var --sysconfdir=/usr/pkg/share/examples/privox
--with-user=privoxy --with-group=privoxy --prefix=/usr/pkg --host=i386--netbsde
lf --mandir=/usr/pkg/man
$ id privoxy
uid=1004(privoxy) gid=1002(privoxy) groups=1002(privoxy)
$ ps ax -o uid,gid,command|grep privoxy
1004 1002 /usr/pkg/sbin/privoxy --pidfile /var/run/ --user privoxy /
$ ls -l /usr/pkg/etc/privoxy/config
-rw-rw----  1 privoxy  privoxy  42509 Jan 22 14:25 /usr/pkg/etc/privoxy/config

PS: Please upgrade this software to latest 3.0.10 too

I've done this locally, but we should understand your problem first
to make sure there is no serious security flaw.

best regards

Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt

Home | Main Index | Thread Index | Old Index