Root doesn't have to owner of the config file. I have no problems running
under my own UID. The only problem I encounter is when it goes to a secure
server. I suggest you comment the croak out.
174 if ((($uid != 0) && ($uid != $<)) || ($mode & 022)) {
175 #_croak("Config file not secure (mode=$mode uid=$uid).");
176 }
177 }
--Kit
> First, great idea putting the code into a SourceForge project!
>
> I haven't contributed to a SourceForge project before, so I'm posting this
> here.
>
> I think the segment of code in Util::Base.pm that reads the config file is
> overly restrictive...
>
> In get_config() lines 171-177:
>
> 171 if ($self->{env}{os} eq 'UNIX') {
> 172 my ($mode,$uid) = (stat($file))[2,4];
> 173
> 174 if ((($uid != 0) && ($uid != $<)) || ($mode & 022)) {
> 175 _croak("Config file not secure (mode=$mode uid=$uid).");
> 176 }
> 177 }
>
> I'm getting croaked running order.cgi because of line 174.
>
> I read that as: if( ((config_file_owner is not root) and
> (config_file_owner is not executing_this_script)) or
> (anyone_but_config_file_owner_can_rwx_config_file)) then croak.
>
> The second half of the or statement is good, the config file should
> probably be 'chmod 0600' to protect the RSP's key. But root should NOT
> have to own the file!
>
> On my system, I own the OpenSRS.conf config file (user:russ uid:500), so
> ($uid != 0) = 1; and my webserver is run by the user nobody (as are cgi
> scripts), so ($uid != $<) = 1 also.
>
> Thinking even further along... user nobody cannot read a file that is not
> world readable, so even if you did remove the former half of the or
> statement, the config file couldn't be read. This makes the whole security
> check here moot.
>
> All the RSPs hosting on shared systems are probably going to run into this,
> unless root installs their OpenSRS software.
>
> Am I missing something? Can we get this changed?
>
> -Russ
>
>
>
>
