pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/40532: privoxy ignores user:group and has wheel permissionsand so everyone accessing privoxy admin page




Update to problem report:
-----------------------------------------

$NetBSD$

--- ./jcc.c.orig        2007-12-16 19:32:46.000000000 +0100
+++ ./jcc.c
@@ -3299,6 +3299,10 @@ int main(int argc, const char *argv[])
      {
         log_error(LOG_LEVEL_FATAL, "Cannot setgid(): Insufficient 
permissions.");
      }
+      if (grp)
+       setgroups(1, &grp->gr_gid);
+      else
+       initgroups(pw->pw_name, pw->pw_gid);
      if (do_chroot)
      {
         if (!pw->pw_dir)





Before applying patch:
-----------------------------------------
28993 1004 1002 0 2 3 4 5 20 31 ? Ss 0:00.06 /usr/pkg/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy /usr/pkg/etc/privoxy/config


After applying patch:
-----------------------------------------
4923 1004 1002 1002 ? ZLsl 0:00.08 /usr/pkg/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy /usr/pkg/etc/privoxy/config


Regards,
Cem





Cem Kayali, 02/02/09 21:17:
Hi,

Please check the screenshot i've sent. It shows the details.

>It is well possible that privoxy opens its config file before changing its privileges.

Well, if it runs as privoxy:privoxy it can not open a file that is chown=root:wheel and chmod=661. That's the strange thing.


Regards,
Cem


Matthias Drochner, 02/02/09 21:06:
So could you please run the
ps ax -o uid,gid,command|grep privoxy
as I did?
And what "puser" was set to in /etc/rc.d/privoxy?

I believe the right way to disable modification through
the web interface is to set "enable-edit-actions" in the
config file to "0". And possibly some more - there are
lots of comments.
It is well possible that privoxy opens its config file
before changing its privileges.

best regards
Matthias




-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------





Home | Main Index | Thread Index | Old Index