NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: About a rc.d script and "--user ${puser}"
On Jun 25, 8:05pm, Cem Kayali wrote:
}
}
} I have used the patch, and checked rc.d script before testing, re-tested
} again. Result is same.
Did you do 'make update' in www/privoxy? Can you show me what your
/etc/rc.d/privoxy looks like now?
} This issue is quite strange. *Forgive me if i'm doing someting wrong*
} but this looks like a security problem because any user having access to
} privoxy administration page with "edit-actions-enable" enabled in
} privoxy configuration, has potential wirte access to all root:wheel
} files having chmod X6X permissions especially to /usr/pkg/etc/privoxy/*
} ones - tested.
}
} How to repeat?
}
}
} -------------------------------------
} Build the software by simple 'make install'
} Once install is complete copy /usr/pkg/share/examples/rc.d/privoxy to
} /etc/rc.d/privoxy
} Start the service by '#/etc/rc.d/privoxy onestart' (then insert
} privoxy=yes) to rc.conf
}
} There are privoxy rules at /usr/pkg/etc/privoxy, please do '#chmod 661
} /usr/pkg/etc/privoxy/*' and '#chown root:wheel /usr/pkg/etc/privoxy/*'
} Now all rules should be safe, only editable to wheel users.
}
} Now, the test;
}
} 1- As normal user, start a browser; ie firefox; and adjust its settings
} so that it uses 8118 port as http proxy
} 2- Type 'p.p' in address bar so that you can reach privoxy
} administration page.
} 3- Now try to edit rules!
}
} Rules are editable.
} -------------------------------------
}
} A screenshot attached.
}
} John Nemeth, 02/02/09 22:11:
} > On Jun 24, 5:34pm, Cem Kayali wrote:
} > }
} > } Well, yes; let me briefly explain:
} > }
} > } # userinfo privoxy
} > } login privoxy
} > } passwd *************
} > } uid 50
} > } groups privoxy
} > }
} > } Then, run "/etc/rc.d/privoxy onestart", then privoxy service runs as
} > } user:privoxy and group:wheel (uid:50 and gid=0) instead of user:privoxy
} > } group:privoxy (uid:50 and gid=50).
} >
} > This doesn't have anything to do with the permissions on rc.d
} > script unless SUID and/or SGID bits are set. But, as tls explained
} > NetBSD doesn't support SGID for scripts. I have adjusted the rc.d
} > script to set the group as well as the user. Can you check to see if
} > this fixes the issue for you, please?
} >
} > BTW, issues like this should be discussed on
} > pkgsrc-users%NetBSD.org.@localhost NetBSD-users%NetBSD.org@localhost is
for issues
} > affecting the base system.
} >
} > }-- End of excerpt from Cem Kayali
}-- End of excerpt from Cem Kayali
Home |
Main Index |
Thread Index |
Old Index