[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#167966: marked as done (apache-perl: Startup script in init.d should set umask)



Your message dated Fri, 17 Oct 2003 16:17:33 +0100
with message-id <20031017151733.GR18370@parcelfarce.linux.theplanet.co.uk>
and subject line no more info
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Nov 2002 00:39:46 +0000
>From rene@segesta.seindal.dk Tue Nov 05 18:39:45 2002
Return-path: <rene@segesta.seindal.dk>
Received: from 213.237.54.7.adsl.suoe.worldonline.dk (segesta.seindal.dk) [213.237.54.7] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 189EET-0006jS-00; Tue, 05 Nov 2002 18:39:45 -0600
Received: from rene by segesta.seindal.dk with local (Exim 3.36 #1 (Debian))
	id 189EDw-0004i7-00; Wed, 06 Nov 2002 01:39:12 +0100
From: "René Seindal" <rene@seindal.dk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache-perl: Startup script in init.d should set umask
X-Mailer: reportbug 1.50
Date: Wed, 06 Nov 2002 01:39:12 +0100
Message-Id: <E189EDw-0004i7-00@segesta.seindal.dk>
Sender: Rene Seindal <rene@segesta.seindal.dk>
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=0.6 required=5.0
	tests=SPAM_PHRASE_00_01
	version=2.41
X-Spam-Level: 

Package: apache-perl
Version: 1.3.26-1-1.26-1
Severity: normal
Tags: security

Hi,

I just noticed that when apache is started from init.d at boot, the
umask is 0, possible leading to the creation of world writable files and
directories.  It happened to me with HTML::Mason and Cache::FileCache
which led to a completely world writable cache, files and directories.

It would be a good idea to set a safer default in
/etc/init.d/apache-perl, such as 0077, 0027 or 0007.  I guess that in a
default context they are all safe, as no user is in group www-data by
default.  If people want something less safe, they can set it in their
mod_perl startup script, but apache-perl should have a safe default out
of the box.

The same probably holds for apache and apache-ssl, but I don't use those
packages.

René Seindal.


-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux segesta 2.4.19-686 #1 Thu Aug 8 21:30:09 EST 2002 i686
Locale: LANG=C, LC_CTYPE=da_DK

Versions of packages apache-perl depends on:
ii  apache-common                1.3.26-1.1  Support files for all Apache webse
ii  debconf                      1.2.10      Debian configuration management sy
ii  dpkg                         1.10.4      Package maintenance system for Deb
ii  libapache-mod-perl           1.26-4      Integration of perl with the Apach
ii  libc6                        2.2.5-14.3  GNU C Library: Shared libraries an
ii  libdb2                       2:2.7.7.0-8 The Berkeley database routines (ru
ii  libperl5.6                   5.6.1-7     Shared Perl library.
ii  mime-support                 3.19-1      MIME files 'mime.types' & 'mailcap


---------------------------------------
Received: (at 167966-close) by bugs.debian.org; 17 Oct 2003 15:17:35 +0000
>From willy@www.linux.org.uk Fri Oct 17 10:17:34 2003
Return-path: <willy@www.linux.org.uk>
Received: from parcelfarce.linux.theplanet.co.uk (www.linux.org.uk) [195.92.249.252] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AAWMA-0006Nf-00; Fri, 17 Oct 2003 10:17:34 -0500
Received: from willy by www.linux.org.uk with local (Exim 4.22)
	id 1AAWM9-0001Yp-Jl
	for 167966-close@bugs.debian.org; Fri, 17 Oct 2003 16:17:33 +0100
Date: Fri, 17 Oct 2003 16:17:33 +0100
From: Matthew Wilcox <willy@debian.org>
To: 167966-close@bugs.debian.org
Subject: no more info
Message-ID: <20031017151733.GR18370@parcelfarce.linux.theplanet.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Sender: <willy@www.linux.org.uk>
Delivered-To: 167966-close@bugs.debian.org
X-Spam-Status: No, hits=0.0 required=4.0
	tests=none
	version=2.53-bugs.debian.org_2003_10_17
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_10_17 (1.174.2.15-2003-03-30-exp)


moreinfo was requested a year ago.  The submitter did not respond,
so I'm closing this bug.

-- 
"It's not Hollywood.  War is real, war is primarily not about defeat or
victory, it is about death.  I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk



Reply to: