Re: About a rc.d script and "--user ${puser}"

To: Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Subject: Re: About a rc.d script and "--user ${puser}"
From: jnemeth%victoria.tc.ca@localhost (John Nemeth)
Date: Tue, 3 Feb 2009 07:08:30 -0800

On Jun 25,  8:05pm, Cem Kayali wrote:
}
} 
} I have used the patch, and checked rc.d script before testing, re-tested 
} again. Result is same.

     Did you do 'make update' in www/privoxy?  Can you show me what your
/etc/rc.d/privoxy looks like now?

} This issue is quite strange. *Forgive me if i'm doing someting wrong* 
} but this looks like a security problem because any user having access to 
} privoxy administration page with "edit-actions-enable" enabled in 
} privoxy configuration, has potential wirte access to all root:wheel 
} files having chmod X6X permissions especially to /usr/pkg/etc/privoxy/* 
} ones - tested.
} 
} How to repeat?
} 
} 
} -------------------------------------
} Build the software by simple 'make install'
} Once install is complete copy /usr/pkg/share/examples/rc.d/privoxy to 
} /etc/rc.d/privoxy
} Start the service by '#/etc/rc.d/privoxy onestart' (then insert 
} privoxy=yes) to rc.conf
} 
} There are privoxy rules at /usr/pkg/etc/privoxy, please do '#chmod 661 
} /usr/pkg/etc/privoxy/*' and '#chown root:wheel /usr/pkg/etc/privoxy/*'
} Now all rules should be safe, only editable to wheel users.
} 
} Now, the test;
} 
} 1- As normal user, start a browser; ie firefox; and adjust its settings 
} so that it uses 8118 port as http proxy
} 2- Type 'p.p' in address bar so that you can reach privoxy 
} administration page.
} 3- Now try to edit rules!
} 
} Rules are editable.
} -------------------------------------
} 
} A screenshot attached.
} 
} John Nemeth, 02/02/09 22:11:
} > On Jun 24,  5:34pm, Cem Kayali wrote:
} > } 
} > } Well, yes; let me briefly explain:
} > } 
} > } # userinfo privoxy
} > } login   privoxy
} > } passwd  *************
} > } uid     50
} > } groups  privoxy
} > } 
} > } Then, run "/etc/rc.d/privoxy onestart", then privoxy service runs as 
} > } user:privoxy and group:wheel (uid:50 and gid=0) instead of user:privoxy 
} > } group:privoxy (uid:50 and gid=50).
} >
} >      This doesn't have anything to do with the permissions on rc.d
} > script unless SUID and/or SGID bits are set.  But, as tls explained
} > NetBSD doesn't support SGID for scripts.  I have adjusted the rc.d
} > script to set the group as well as the user.  Can you check to see if
} > this fixes the issue for you, please?
} >
} >      BTW, issues like this should be discussed on
} > pkgsrc-users%NetBSD.org.@localhost  NetBSD-users%NetBSD.org@localhost is 
for issues
} > affecting the base system.
} >
} > }-- End of excerpt from Cem Kayali
}-- End of excerpt from Cem Kayali

Follow-Ups:
- Re: About a rc.d script and "--user ${puser}"
  - From: Matthias Drochner

Prev by Date: Re: About a rc.d script and "--user ${puser}"
Next by Date: Re: About a rc.d script and "--user ${puser}"
Previous by Thread: Re: About a rc.d script and "--user ${puser}"
Next by Thread: Re: About a rc.d script and "--user ${puser}"
Indexes:

Home | Main Index | Thread Index | Old Index