[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#43094: dwww config chowns entire system to 'www-data'



Robert wrote: (among other things)
> When the configure was completed I saw that every single file and
> directory on my system was owned by www-data.

I've had a brief look at the source, and the problem appears to be in
the "dwwconfig" script which is run automatically in dwww's postinst.

The only plausible instance of the "chown" command I can find is:

	system("chown -R $final_cgiuser. /var/spool/dwww");

which seems legitimate. Furthermore, $final_cgiuser seems to be set
appropriately, and so on.

What I suspect happened is that $final_cgiuser got set to "www-data ",
and dwwwconfig proceeded to call "chown -R www-data . /var/spool/dwww",
from the "/" directory.

The appropriate fix would thus be changing the above line to:

	system('chown -R "$final_cgiuser". /var/spool/dwww');

(adding quotes to make sure chown agrees with us on what the username is)

Adding some additional checking that the user's entered a valid
user/group/directory in the appropriate places would be more useful in
the long term, of course.

I'm assuming "user error" (adding a space or tab or something after the
username) is the original cause here, but I'm not really sure about
it. In any case, the above should ensure that the above catastrophe
doesn't happen again.

FWIW, none of the other system calls in dwwwconfig look like they could
suffer from similar problems.

Jim, does all that sound reasonable to you? Would you like to make a
proper fix for this sometime soonish, or would you rather an NMU?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds


Reply to: