Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html On Thu, 1 Jul 2004, Javier Fernández-Sanguino Peña wrote: Package: apache-common Version: 1.3.31-1 Priority: important Tags: security I cannot really understand why this is needed: $ ls -la /var/lib/apache/mod-bandwidth/ total 16 drwxrwxrwx4 www-data www-data 4096 2003-10-20 21:53 . drwxr-xr-x3 root root 4096 2003-10-20 21:53 .. drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 link drwxrwxrwx2 www-data www-data 4096 2003-10-14 14:38 master README.mod_bandwidth just says: No documentation available! It is in the source code. So, is there any reason why mod-bandwith files should be writable by all users? * 3) Create the following directories with rwx permission to everybody : */tmp/apachebw */tmp/apachebw/link */tmp/apachebw/master * * Note that if any of those directories doesn't exist, or if they can't * be accessed by the server, the module is totaly disabled except for * logging an error message in the logfile. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
On Thu, Jul 01, 2004 at 11:37:10AM +0200, Fabio Massimo Di Nitto wrote: This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html Well, the fact this bug is reported again, is an indication of inadequate documentation... Maybe this should be documented in the README? Also, I do think it's a valid point that that directory should probably be sticky. Why not leave this bug open until this is investigated? It can probably be set to normal since indeed this doesn't seem like a security bug, but still. It allows anybody to evade quota's and resource-starve a server by filling up /var/lib. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
reopen 257108 thanks On Thu, Jul 01, 2004 at 11:37:10AM +0200, Fabio Massimo Di Nitto wrote: This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html That might have been _discussed_ in a mailing list, but the apache documentation does not discuss it and there is no indication in any README. If you want to degrade the bug (or remove the 'security' tag which I believe it should have) fine by me, but I'm reopening this bug as not documenting why this should be like this, and what consequences this has is a bug. Regards Javier signature.asc Description: Digital signature
Processed: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Processing commands for [EMAIL PROTECTED]: reopen 257108 Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Bug reopened, originator not changed. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Processed: Re: Processed: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable
Processing commands for [EMAIL PROTECTED]: severity 257108 minor Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Severity set to `minor'. tag 257108 - security Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Tags were: security Tags removed: security retitle 257108 README.* lack information on why /var/lib/apache/mod-bandwidth/ is world writable Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable Changed Bug title. stop Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
