pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page
From: cemkayali%eticaret.com.tr@localhost
Date: Sun, 1 Feb 2009 16:50:00 +0000 (UTC)

>Number:         40532
>Category:       pkg
>Synopsis:       privoxy ignores user:group and has wheel permissions and so 
>everyone accessing privoxy admin page
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 01 16:50:00 +0000 2009
>Originator:     Cem Kayali
>Release:        NetBSD5 amd64
>Organization:
>Environment:
NetBSD localhost 4.99.7X root@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC 
amd64

>Description:

Hello!

If you build privoxy through pkgsrc it has automatic wheel permissions, which 
allows everyone who has access to privoxy administration page (p.p) to modify 
all wheel permissioned files.

This is similar to pkg/38252 one i think.



PS: Please upgrade this software to latest 3.0.10 too.
>How-To-Repeat:

Build privoxy through pkgsrc
Move its rc.d script to /etc/rc.d
Insert privoxy=yes to /etc/rc.conf
Boot computer or start privoxy

Set /usr/pkg/etc/privoxy/* to 661
Run a browser using a test username, type and check 
http://config.privoxy.org/show-status page.

Notice all wheel permissioned (661) files are writeable.

>Fix:

Prev by Date: Re: pkg/32558 (mplayer and mencoder do not compile on debian testing)
Next by Date: pkg/40533: www/webkit-gtk does not compile
Previous by Thread: Re: pkg/32558 (mplayer and mencoder do not compile on debian testing)
Next by Thread: Re: pkg/40532: privoxy ignores user:group and has wheel permissions and so everyone accessing privoxy admin page
Indexes:

Home | Main Index | Thread Index | Old Index