[Koha-bugs] [Bug 6094] Fixing ModAuthority problems
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jul 25 09:27:20 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6094
Frère Sébastien Marie <semarie-koha at latrappe.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |semarie-koha at latrappe.fr
--- Comment #11 from Frère Sébastien Marie <semarie-koha at latrappe.fr> 2011-07-25 07:27:20 UTC ---
(In reply to comment #10)
> (In reply to comment #8)
> > How about /var/tmp ?
> Good idea. I submitted a revised patch. Could you do the signoff please?
> Thanks.
This patch present security issue.
The "/var/tmp/modified_authorities" directory is create which unix mod to 777:
so *every* user on the system could create (or remove) file in this directory.
It permit also *any* user to arbitrary override a file owner by the webserver
owner (generally www-data), using symlink-attack (see CWE-61,
http://cwe.mitre.org/data/definitions/61.html)
Please correct it.
The directory should be created by installer (with root permission) to have
owner set to: koha.www-data , and permissions to 2770. This permit the apache
daemon to write in this directory (and only him), and permit koha user (the
user which should run the crontab for update) to read and delete these files.
I think a common directory for koha should be fine to be created (should be
discuted on the ML) which good owner/permissions, and subdirectories for
particular tasks (like this one).
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list