First, great idea putting the code into a SourceForge project!
I haven't contributed to a SourceForge project before, so I'm posting this
here.
I think the segment of code in Util::Base.pm that reads the config file is
overly restrictive...
In get_config() lines 171-177:
171 if ($self->{env}{os} eq 'UNIX') {
172 my ($mode,$uid) = (stat($file))[2,4];
173
174 if ((($uid != 0) && ($uid != $<)) || ($mode & 022)) {
175 _croak("Config file not secure (mode=$mode uid=$uid).");
176 }
177 }
I'm getting croaked running order.cgi because of line 174.
I read that as: if( ((config_file_owner is not root) and
(config_file_owner is not executing_this_script)) or
(anyone_but_config_file_owner_can_rwx_config_file)) then croak.
The second half of the or statement is good, the config file should
probably be 'chmod 0600' to protect the RSP's key. But root should NOT
have to own the file!
On my system, I own the OpenSRS.conf config file (user:russ uid:500), so
($uid != 0) = 1; and my webserver is run by the user nobody (as are cgi
scripts), so ($uid != $<) = 1 also.
Thinking even further along... user nobody cannot read a file that is not
world readable, so even if you did remove the former half of the or
statement, the config file couldn't be read. This makes the whole security
check here moot.
All the RSPs hosting on shared systems are probably going to run into this,
unless root installs their OpenSRS software.
Am I missing something? Can we get this changed?
-Russ
