Re: /var/lib/apache/mod-bandwidth world-writable [forwarded]
On Fri, 6 Feb 2004, Philipp Weis wrote: > Hi, > > On 04 Feb 2004, Fabio Massimo Di Nitto <[EMAIL PROTECTED]> wrote: > > >From mod-bandwith source/documentation: > > > > * 3) Create the following directories with "rwx" permission to everybody : > > */tmp/apachebw > > */tmp/apachebw/link > > */tmp/apachebw/master > > Thanks for pointing me to the source documentation. But I do not get it at > all. Could you please explain why rwx permissions are needed for any user? > Why isn't a 770 on www-data sufficient? The only reason I can come up with > is an suexec-enabled apache, but that is as far as I know not the default > in debian. It is possible to select suexec or not at install time. > I'd prefer a more sane default on the write permissions of those > directories. If 777 permissions are really necessary in some cases, this > should be added to the mod_bandwidth documentation. It is already in the code but if you think a note is required we can add it. I don't see any problem with it. > > If you are not sure under what circumstances 777 permissions are required, > I'd be willing to investigate further. Yes please. That would be very nice since i am not a mod_bandwith user. Thanks Fabio -- Our mission: make IPv6 the default IP protocol "We are on a mission from God" - Elwood Blues http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html
Re: /var/lib/apache/mod-bandwidth world-writable [forwarded]
Hi, On 04 Feb 2004, Fabio Massimo Di Nitto <[EMAIL PROTECTED]> wrote: > >From mod-bandwith source/documentation: > > * 3) Create the following directories with "rwx" permission to everybody : > */tmp/apachebw > */tmp/apachebw/link > */tmp/apachebw/master Thanks for pointing me to the source documentation. But I do not get it at all. Could you please explain why rwx permissions are needed for any user? Why isn't a 770 on www-data sufficient? The only reason I can come up with is an suexec-enabled apache, but that is as far as I know not the default in debian. I'd prefer a more sane default on the write permissions of those directories. If 777 permissions are really necessary in some cases, this should be added to the mod_bandwidth documentation. If you are not sure under what circumstances 777 permissions are required, I'd be willing to investigate further. Thanx Philipp -- Philipp Weis [EMAIL PROTECTED] Freiburg, Germany http://pweis.com/
Re: /var/lib/apache/mod-bandwidth world-writable [forwarded]
Hi Philipp, On Wed, 4 Feb 2004, Philipp Weis wrote: > Hi, > > I got no answers to this on debian-security, maybe it was the wrong list. > I'm not sure whether this really is a security issue. If it is not, please > let me know why those directories need to be world-writable or why it is > not a problem. > >From mod-bandwith source/documentation: * 3) Create the following directories with "rwx" permission to everybody : */tmp/apachebw */tmp/apachebw/link */tmp/apachebw/master In this case it would be /var/lib/apache/mod-bandwidth in order to respect the FHS. Fabio -- Our mission: make IPv6 the default IP protocol "We are on a mission from God" - Elwood Blues http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html
/var/lib/apache/mod-bandwidth world-writable [forwarded]
Hi, I got no answers to this on debian-security, maybe it was the wrong list. I'm not sure whether this really is a security issue. If it is not, please let me know why those directories need to be world-writable or why it is not a problem. - Forwarded message from Philipp Weis <[EMAIL PROTECTED]> - From: Philipp Weis <[EMAIL PROTECTED]> Subject: /var/lib/apache/mod-bandwidth world-writable Date: Sun, 1 Feb 2004 16:49:28 +0100 To: debian-security@lists.debian.org Message-ID: <[EMAIL PROTECTED]> Hi! Tiger just warned me about some world-writable directories. /var/lib/apache/mod-bandwidth is one of them, and I do not see any reason why this one would need write-permissions for everyone. The postinst script of apache-common explicitly sets those permissions: # Fixing mod-bandwith owner/permissions chown -R www-data:www-data /var/lib/apache/mod-bandwidth chmod -R 777 /var/lib/apache/mod-bandwidth Is there a valid reason for 777 instead of 664 or 660? Regards - End forwarded message - -- Philipp Weis [EMAIL PROTECTED] Freiburg, Germany http://pweis.com/
