Bug#257108: marked as done (apache: /var/lib/apache/mod-bandwidth/ is world writable )

To: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#257108: marked as done (apache: /var/lib/apache/mod-bandwidth/ is world writable )
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 01 Jul 2004 02:48:14 -0700
Message-id: <[🔎] handler.257108.D257108.108867464022366.ackdone@bugs.debian.org>
In-reply-to: <[🔎] Pine.LNX.4.58.0407011129550.3762@trider-g7.ext.fabbione.net>
References: <[🔎] Pine.LNX.4.58.0407011129550.3762@trider-g7.ext.fabbione.net> <[🔎] 20040701090307.GA15781@dat.etsit.upm.es>

Your message dated Thu, 1 Jul 2004 11:37:10 +0200 (CEST)
with message-id <[🔎] Pine.LNX.4.58.0407011129550.3762@trider-g7.ext.fabbione.net>
and subject line Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable 
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Jul 2004 09:03:09 +0000
>From jfs@dat.etsit.upm.es Thu Jul 01 02:03:09 2004
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1BfxTJ-0004Kb-00; Thu, 01 Jul 2004 02:03:09 -0700
Received: (qmail 16458 invoked by uid 1013); 1 Jul 2004 09:03:07 -0000
Date: Thu, 1 Jul 2004 11:03:07 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: apache: /var/lib/apache/mod-bandwidth/ is world writable 
Message-ID: <[🔎] 20040701090307.GA15781@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040523i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: apache-common
Version: 1.3.31-1
Priority: important
Tags: security

I cannot really understand why this is needed:

$ ls -la /var/lib/apache/mod-bandwidth/
total 16
drwxrwxrwx    4 www-data www-data     4096 2003-10-20 21:53 .
drwxr-xr-x    3 root     root         4096 2003-10-20 21:53 ..
drwxrwxrwx    2 www-data www-data     4096 2003-10-14 14:38 link
drwxrwxrwx    2 www-data www-data     4096 2003-10-14 14:38 master

README.mod_bandwidth just says:

No documentation available!

So, is there any reason why mod-bandwith files should be writable by all=20
users?

I'm tagging this security because directories writable by all users open up
a can of worms (partition DoS attacks, symlink and hard link attacks) and
administrators do not expect Debian packages to create those without a good
enough reason. Also, directories writable by all users (such as /tmp/ or
/var/tmp) should be created with the sticky bit.

Regards

Javier

--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA49NLi4sehJTrj0oRAjy9AKCk1ez4VoP0hR9q1Ii4VB5oEEhCCgCbB4a3
OUXBG4g1aSqZKZb8CLGE0i4=
=Ix/V
-----END PGP SIGNATURE-----

--sm4nu43k4a2Rpi4c--

---------------------------------------
Received: (at 257108-done) by bugs.debian.org; 1 Jul 2004 09:37:20 +0000
>From fabbione@fabbione.net Thu Jul 01 02:37:20 2004
Return-path: <fabbione@fabbione.net>
Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Bfy0O-0005oZ-00; Thu, 01 Jul 2004 02:37:20 -0700
Received: from localhost (localhost [127.0.0.1])
	by trider-g7.fabbione.net (Postfix) with ESMTP id 16766E86;
	Thu,  1 Jul 2004 11:37:17 +0200 (CEST)
Received: from trider-g7.fabbione.net ([127.0.0.1])
	by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 10077-06-2; Thu, 1 Jul 2004 11:37:10 +0200 (CEST)
Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82])
	by trider-g7.fabbione.net (Postfix) with ESMTP id 6A7F4E7F;
	Thu,  1 Jul 2004 11:37:10 +0200 (CEST)
Date: Thu, 1 Jul 2004 11:37:10 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@fabbione.net
To: =?iso-8859-1?Q?Javier_Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>,
	257108-done@bugs.debian.org
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world
 writable 
In-Reply-To: <[🔎] 20040701090307.GA15781@dat.etsit.upm.es>
Message-ID: <[🔎] Pine.LNX.4.58.0407011129550.3762@trider-g7.ext.fabbione.net>
References: <[🔎] 20040701090307.GA15781@dat.etsit.upm.es>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at fabbione.net
Delivered-To: 257108-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


This has been discussed before several time. Here is one:

http://lists.debian.org/debian-apache/2004/02/msg00045.html

On Thu, 1 Jul 2004, Javier Fern=E1ndez-Sanguino Pe=F1a wrote:

> Package: apache-common
> Version: 1.3.31-1
> Priority: important
> Tags: security
>
> I cannot really understand why this is needed:
>
> $ ls -la /var/lib/apache/mod-bandwidth/
> total 16
> drwxrwxrwx    4 www-data www-data     4096 2003-10-20 21:53 .
> drwxr-xr-x    3 root     root         4096 2003-10-20 21:53 ..
> drwxrwxrwx    2 www-data www-data     4096 2003-10-14 14:38 link
> drwxrwxrwx    2 www-data www-data     4096 2003-10-14 14:38 master
>
> README.mod_bandwidth just says:
>
> No documentation available!

It is in the source code.

>
> So, is there any reason why mod-bandwith files should be writable by all
> users?

 * 3) Create the following directories with "rwx" permission to everybody :
 *    /tmp/apachebw
 *    /tmp/apachebw/link
 *    /tmp/apachebw/master
 *
 * Note that if any of those directories doesn't exist, or if they can't
 * be accessed by the server, the module is totaly disabled except for
 * logging an error message in the logfile.

Fabio

--=20
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.

Reply to:

References:
- Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
- Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Next by Date: Order Canadian pharm valium
Previous by thread: Processed: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Next by thread: Order Canadian pharm valium
Index(es):
- Date
- Thread