[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#573320: marked as done (lighttpd: Don't run Lighttpd as www-data)

Your message dated Mon, 13 Aug 2018 23:10:27 -0400
with message-id <20180814031027.GD11378@i5>
and subject line 573320-done
has caused the Debian Bug report #573320,
regarding lighttpd: Don't run Lighttpd as www-data
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
573320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573320
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: lighttpd
Version: 1.4.26-1
Severity: wishlist

Hi,

Would it be possible to start FastCGI processes via spawn-fcgi and to run Lighttpd as another user than www-data (maybe user lighttpd)?
I think this improves security as FastCGI processes can no longer touch Lighttpd (and it's log files).

Greetings,

Olaf

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lighttpd depends on:
ii  libattr1               1:2.4.43-2        Extended attribute shared library
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libfam0                2.7.0-13.3+lenny1 Client library to control the FAM 
ii  libldap-2.4-2          2.4.11-1+lenny1   OpenLDAP libraries
ii  libpcre3               7.8-2+b1          Perl 5 Compatible Regular Expressi
ii  libssl0.9.8            0.9.8k-7          SSL shared libraries
ii  libterm-readline-perl- 1.0302-1          Perl implementation of Readline li
ii  lsb-base               3.2-20            Linux Standard Base 3.2 init scrip
ii  mime-support           3.44-1            MIME files 'mime.types' & 'mailcap
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages lighttpd recommends:
ii  spawn-fcgi                    1.6.2-3    A fastcgi process spawner

Versions of packages lighttpd suggests:
ii  apache2-utils           2.2.9-10+lenny6  utility programs for webservers
ii  openssl                 0.9.8g-15+lenny6 Secure Socket Layer (SSL) binary a
pn  rrdtool                 <none>           (no description available)

-- no debconf information

--- End Message ---
--- Begin Message --- 
Package: lighttpd
Tags: wontfix

Backend FastCGI servers could be started up by separate supervisors
and run as different users, all independently of lighttpd.  lighttpd
can be configured to use those backends, even if lighttpd does not
start those backends.

The default user under which lighttpd starts is very unlikely to
change given the potential impact to existing users.  There are simple
configuration changes that you can make to your lighttpd config if you
want to run different processes as different users, whether lighttpd,
or backends, or both.

The original reasons for filing this ticket includes:
"I think this improves security as FastCGI processes can no longer touch Lighttpd (and it's log files)."
Related ticket:
lighttpd: /var/log/ligghtpd/*.log (sic) is readable by www-data
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406338

--- End Message ---
Reply to: