Your message dated Mon, 10 Nov 2014 11:35:16 +0100 with message-id <20141110103516.ga13...@sesse.net> and subject line Re: Bug#743483: apache2-mpm-itk: AssignUserID is ignored in favor of file ownership. has caused the Debian Bug report #743483, regarding apache2-mpm-itk: AssignUserID is ignored in favor of file ownership. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 743483: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743483 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: apache2-mpm-itk Version: 2.2.22-13+deb7u1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I was setting up a new webhosting server using the latest Wheezy version, and in particular moving away from suexec/fcgid and to mpm-itk for performance reasons. During one of the tests with a php script containing just the line <?php print get_current_user() ?> I was shocked to discover that the return value was 'root' rather than 'testclient' because I'd created the file as root ('testclient' doesn't get a shell login) and the script's UID was set to the file owner rather than the explicitly stated AssignUserID testclient webclients. I ran a second test, this time placing the script in /var/www and adding 'AssignUserID www-data www-data' to /etc/apache2/sites-enabled/000-default, and observed the same behavior. I'm breaking my head over whether I might have made a mistake during configuration, but this is a near-pristine server setup -- and either I've done something very badly wrong or this is a serious security problem with mpm-itk, especially if someone can write a script in their webhosting docroot and then chown it to root. -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env evasive20 mime negotiation php5 reqtimeout setenvif status List of enabled php5 extensions: memcached pdo -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2-mpm-itk depends on: ii apache2.2-bin 2.2.22-13+deb7u1 ii apache2.2-common 2.2.22-13+deb7u1 apache2-mpm-itk recommends no packages. apache2-mpm-itk suggests no packages. -- no debconf information000-default
Description: inode/symlink
--- End Message ---
--- Begin Message ---On Sun, Jul 13, 2014 at 03:36:46PM +0200, Arno Töll wrote: > I'm handing this over to you now that itk is its own package. I'm closing this; it's unreproducible, it doesn't make sense, and nobody else has reported anything like it. /* Steinar */ -- Homepage: http://www.sesse.net/
--- End Message ---