pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/40532: privoxy ignores user:group and has wheel permissionsand so everyone accessing privoxy admin page
Update to problem report:
-----------------------------------------
$NetBSD$
--- ./jcc.c.orig 2007-12-16 19:32:46.000000000 +0100
+++ ./jcc.c
@@ -3299,6 +3299,10 @@ int main(int argc, const char *argv[])
{
log_error(LOG_LEVEL_FATAL, "Cannot setgid(): Insufficient
permissions.");
}
+ if (grp)
+ setgroups(1, &grp->gr_gid);
+ else
+ initgroups(pw->pw_name, pw->pw_gid);
if (do_chroot)
{
if (!pw->pw_dir)
Before applying patch:
-----------------------------------------
28993 1004 1002 0 2 3 4 5 20 31 ? Ss 0:00.06
/usr/pkg/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy
/usr/pkg/etc/privoxy/config
After applying patch:
-----------------------------------------
4923 1004 1002 1002 ? ZLsl 0:00.08
/usr/pkg/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy
/usr/pkg/etc/privoxy/config
Regards,
Cem
Cem Kayali, 02/02/09 21:17:
Hi,
Please check the screenshot i've sent. It shows the details.
>It is well possible that privoxy opens its config file before
changing its privileges.
Well, if it runs as privoxy:privoxy it can not open a file that is
chown=root:wheel and chmod=661. That's the strange thing.
Regards,
Cem
Matthias Drochner, 02/02/09 21:06:
So could you please run the
ps ax -o uid,gid,command|grep privoxy
as I did?
And what "puser" was set to in /etc/rc.d/privoxy?
I believe the right way to disable modification through
the web interface is to set "enable-edit-actions" in the
config file to "0". And possibly some more - there are
lots of comments.
It is well possible that privoxy opens its config file
before changing its privileges.
best regards
Matthias
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------
Home |
Main Index |
Thread Index |
Old Index