Webcit has an unwelcome group privilege escalation owing to a missing line in webcit/configure.ac, and a related patch to webcit/sysdep.c
Kindly notice that when webcit starts up, this appears in the syslog:
...
Mar 18 17:56:56 email2 webcit[24601]: Message catalog directory: /usr/share//locale
Mar 18 17:56:56 email2 webcit[24599]: No Site-local Stylesheet [/usr/share/citadel-webcit/static.local//webcit.css] installed.
Mar 18 17:56:56 email2 webcit[24601]: No Site-local Stylesheet [/usr/share/citadel-webcit/static.local//webcit.css] installed.
Mar 18 17:56:56 email2 webcit[24599]: Attempting to bind to port 80...
Mar 18 17:56:56 email2 webcit[24601]: Attempting to bind to port 443...
Mar 18 17:56:56 email2 webcit[24599]: Listening on socket 6
Mar 18 17:56:56 email2 webcit[24599]: WARNING: getpwuid(65534): Success#012Group IDs will be incorrect.
Mar 18 17:56:56 email2 webcit[24599]: Changing uid to 65534
Mar 18 17:56:56 email2 webcit[24601]: Listening on socket 6
Mar 18 17:56:56 email2 webcit[24601]: Requesting cipher list: DEFAULT
Mar 18 17:56:56 email2 webcit[24601]: WARNING: getpwuid(65534): File exists#012Group IDs will be incorrect.
Mar 18 17:56:56 email2 webcit[24601]: Changing uid to 65534
...
The systems I use certainly have the function getpwuid, yet webcit complains about lacking it, while citadel-server gets it right.
The configure.ac file in webcit lacks the necessary line to confirm the presence of getpwuid. These two patches corrects that problem. (The first patch also has the fix for the failure to build webcit owing to a misordering of libraries mentioned last post)
iff --git a/webcit/configure.ac b/webcit/configure.ac
index f17cc58..8cb65c3 100644
--- a/webcit/configure.ac
+++ b/webcit/configure.ac
@@ -88,6 +88,7 @@ dnl Checks for header files.
AC_HEADER_STDC
dnl AC_HEADER_SYS_WAIT
+AC_CHECK_FUNCS(crypt gethostbyname connect flock getpwnam_r getpwuid_r getloadavg)
AC_CACHE_CHECK(
[for call semantics from getpwuid_r],
ac_cv_call_getpwuid_r,
@@ -238,7 +239,7 @@ dnl Checks for the discount markdown library.
AC_CHECK_LIB(markdown,
markdown,
[
- LDFLAGS="$LDFLAGS -lmarkdown"
+ LIBS="$LIBS -lmarkdown"
AC_DEFINE(HAVE_MARKDOWN,[],[whether we have markdown message rendering])
])
diff --git a/webcit/sysdep.c b/webcit/sysdep.c
index 94314a2..02bfe02 100644
--- a/webcit/sysdep.c
+++ b/webcit/sysdep.c
@@ -557,6 +557,8 @@ webcit_calc_dirs_n_files(int relh, const char *basedir, int home, char *webcitdi
void drop_root(uid_t UID)
{
struct passwd pw, *pwp = NULL;
+ char pwbuf[SIZ];
+
/*
* Now that we've bound the sockets, change to the Citadel user id and its
After the patches, the startup log shows:
Mar 18 18:00:14 email2 webcit[24701]: Message catalog directory: /usr/share//locale
Mar 18 18:00:14 email2 webcit[24701]: No Site-local Stylesheet [/usr/share/citadel-webcit/static.local//webcit.css] installed.
Mar 18 18:00:14 email2 webcit[24701]: Attempting to bind to port 443...
Mar 18 18:00:14 email2 webcit[24701]: Listening on socket 7
Mar 18 18:00:14 email2 webcit[24701]: Requesting cipher list: DEFAULT
Mar 18 18:00:14 email2 webcit[24701]: Changing uid to 65534
Mar 18 18:00:14 email2 webcit[24699]: Attempting to bind to port 80...
Mar 18 18:00:14 email2 webcit[24699]: Listening on socket 7
Mar 18 18:00:14 email2 webcit[24699]: Changing uid to 65534
Best,
Harry Coin
