Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html On Thu, 1 Jul 2004, Javier Fernández-Sanguino Peña wrote: Package: apache-common Version: 1.3.31-1 Priority: important Tags: security I cannot really understand why this is needed: $ ls -la /var/lib/apache/mod-bandwidth/ total 16 drwxrwxrwx4 www-data www-data 4096 2003-10-20 21:53 . drwxr-xr-x3 root root 4096 2003-10-20 21:53 .. drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 link drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 master README.mod_bandwidth just says: No documentation available! It is in the source code. So, is there any reason why mod-bandwith files should be writable by all users? * 3) Create the following directories with rwx permission to everybody : */tmp/apachebw */tmp/apachebw/link */tmp/apachebw/master * * Note that if any of those directories doesn't exist, or if they can't * be accessed by the server, the module is totaly disabled except for * logging an error message in the logfile. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Bug#257108: marked as done (apache: /var/lib/apache/mod-bandwidth/ is world writable )
Your message dated Thu, 1 Jul 2004 11:37:10 +0200 (CEST) with message-id [EMAIL PROTECTED] and subject line Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 1 Jul 2004 09:03:09 + From [EMAIL PROTECTED] Thu Jul 01 02:03:09 2004 Return-path: [EMAIL PROTECTED] Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1BfxTJ-0004Kb-00; Thu, 01 Jul 2004 02:03:09 -0700 Received: (qmail 16458 invoked by uid 1013); 1 Jul 2004 09:03:07 - Date: Thu, 1 Jul 2004 11:03:07 +0200 From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: apache: /var/lib/apache/mod-bandwidth/ is world writable Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=sm4nu43k4a2Rpi4c Content-Disposition: inline User-Agent: Mutt/1.5.6+20040523i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache-common Version: 1.3.31-1 Priority: important Tags: security I cannot really understand why this is needed: $ ls -la /var/lib/apache/mod-bandwidth/ total 16 drwxrwxrwx4 www-data www-data 4096 2003-10-20 21:53 . drwxr-xr-x3 root root 4096 2003-10-20 21:53 .. drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 link drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 master README.mod_bandwidth just says: No documentation available! So, is there any reason why mod-bandwith files should be writable by all=20 users? I'm tagging this security because directories writable by all users open up a can of worms (partition DoS attacks, symlink and hard link attacks) and administrators do not expect Debian packages to create those without a good enough reason. Also, directories writable by all users (such as /tmp/ or /var/tmp) should be created with the sticky bit. Regards Javier --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature; name=signature.asc Content-Description: Digital signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA49NLi4sehJTrj0oRAjy9AKCk1ez4VoP0hR9q1Ii4VB5oEEhCCgCbB4a3 OUXBG4g1aSqZKZb8CLGE0i4= =Ix/V -END PGP SIGNATURE- --sm4nu43k4a2Rpi4c-- --- Received: (at 257108-done) by bugs.debian.org; 1 Jul 2004 09:37:20 + From [EMAIL PROTECTED] Thu Jul 01 02:37:20 2004 Return-path: [EMAIL PROTECTED] Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Bfy0O-0005oZ-00; Thu, 01 Jul 2004 02:37:20 -0700 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id 16766E86; Thu, 1 Jul 2004 11:37:17 +0200 (CEST) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 10077-06-2; Thu, 1 Jul 2004 11:37:10 +0200 (CEST) Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82]) by trider-g7.fabbione.net (Postfix) with ESMTP id 6A7F4E7F; Thu, 1 Jul 2004 11:37:10 +0200 (CEST) Date: Thu, 1 Jul 2004 11:37:10 +0200 (CEST) From: Fabio Massimo Di Nitto [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] To: =?iso-8859-1?Q?Javier_Fern=E1ndez-Sanguino_Pe=F1a?= [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Debian Apache Maintainers debian-apache@lists.debian.org Subject: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin
Order Canadian pharm valium
Meds from Canada, Meds from Canada2 0rder ultram and valium at lowered prices also get free sample of c1al1s with every 0rder http://www.sd93.com/?34 Thu, 01 Jul 2004 17:06:04 +0100
Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
On Thu, Jul 01, 2004 at 11:37:10AM +0200, Fabio Massimo Di Nitto wrote: This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html Well, the fact this bug is reported again, is an indication of inadequate documentation... Maybe this should be documented in the README? Also, I do think it's a valid point that that directory should probably be sticky. Why not leave this bug open until this is investigated? It can probably be set to normal since indeed this doesn't seem like a security bug, but still. It allows anybody to evade quota's and resource-starve a server by filling up /var/lib. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
reopen 257108 thanks On Thu, Jul 01, 2004 at 11:37:10AM +0200, Fabio Massimo Di Nitto wrote: This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html That might have been _discussed_ in a mailing list, but the apache documentation does not discuss it and there is no indication in any README. If you want to degrade the bug (or remove the 'security' tag which I believe it should have) fine by me, but I'm reopening this bug as not documenting why this should be like this, and what consequences this has is a bug. Regards Javier signature.asc Description: Digital signature
Processed: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Processing commands for [EMAIL PROTECTED]: reopen 257108 Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Bug reopened, originator not changed. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Processed: Re: Processed: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Processing commands for [EMAIL PROTECTED]: severity 257108 minor Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Severity set to `minor'. tag 257108 - security Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Tags were: security Tags removed: security retitle 257108 README.* lack information on why /var/lib/apache/mod-bandwidth/ is world writable Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Changed Bug title. stop Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#257220: apache2-common: mod_auth_ldap does not maintain binding dn between requests
Package: apache2-common Version: 2.0.49-1 Severity: normal I have been attempting to diagnose a difficult-to-reproduce bug within mod_auth_ldap. It appears to only search for the requested user using the specified AuthLDAPBindDN during the first request, all other times it uses the dn of the most recently successful authentication. This does not work if the previously authenticated user does not have the authority to search for the new user to access the server. I also appear to have an issue when a bad password is entered for a user on a web page. The failure is recorded as a bad password error in the apache2 log (as expected), but all future requests fail with no such user until the web session is closed and re-opened. I have found a fairly comprehensive description of this bug that applies to a different auth_ldap module for Apache 1.3, the symptoms I am exhibiting are very similar. I was unable to determine how to apply the specified patch to my apache2 installation. http://www.suares.com/auth_ldap -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C Versions of packages apache2-common depends on: ii debconf 1.4.28 Debian configuration management sy ii debianutils 2.8.2Miscellaneous utilities specific t ii libapr0 2.0.49-1 The Apache Portable Runtime ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii libdb4.24.2.52-16Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.6-8 XML parsing C library - runtime li ii libldap22.1.23-1 OpenLDAP libraries ii libmagic1 4.09-1 File type determination library us ii libssl0.9.7 0.9.7d-3 SSL shared libraries ii mime-support3.26-1 MIME files 'mime.types' 'mailcap ii net-tools 1.60-10 The NET-3 networking toolkit ii openssl 0.9.7d-3 Secure Socket Layer (SSL) binary a ii ssl-cert1.0-7Simple debconf wrapper for openssl ii zlib1g 1:1.2.1.1-3 compression library - runtime -- no debconf information
Bug#257228: apache2: FTBFS on kfreebsd-i386/sid; needs update config.{sub,guess}, new libtool
Package: apache2 Severity: wishlist Please update the config.sub and config.guess files, as well as the libtool, in your package. Currently, your package FTBFS on kfreebsd-i386 because of this. -- System Information: Debian Release: testing/unstable APT prefers experimental APT policy: (500, 'experimental'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.6-2-k7 Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (ignored: LC_ALL set to C)
