Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003330 [Resin] major always 02-09-09 02:02 03-18-09 11:07
Reporter tlandmann View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.2.1
Summary 0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!)
Description I run Resin as root with the following passage in the server-default section in resin.xml:

<resin:if test="${resin.userName=='root'}">
  <user-name>httpd</user-name>
  <group-name>httpd</group-name>
</resin:if>

Thus resin should run as user httpd in group httpd.

Then I run the following PHP file from within Quercus:

<?php
header("Content-Type: text/plain");
echo `id`;
?>

The output is:
uid=1003(httpd) gid=1003(httpd) groups=0(root)

The expected output would be:
uid=1003(httpd) gid=1003(httpd) groups=1003(httpd)

The problem means that although Resin is running as user httpd and primary group httpd, it still belongs to group root (!). This is dangerous! (!) There may be lots of sensitive files on a server system which may be read or even modified by members of the root group.
I didn't check if this access is actually possible. However I would assume it.

Fixing this bug is STRONGLY recommended for security reasons.
Additional Information
Attached Files

- Relationships

There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
02-09-09 02:02 tlandmann New Issue
03-18-09 11:07 ferg Assigned To  => ferg
03-18-09 11:07 ferg Status new => closed
03-18-09 11:07 ferg Resolution open => fixed
03-18-09 11:07 ferg Fixed in Version  => 4.0.0


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
27 total queries executed.
25 unique queries executed.
Powered by Mantis Bugtracker