|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 3330 | major | always | 02-09-09 02:02 | 03-18-09 11:07 | |
|
|
|||||
| Reporter: | tlandmann | Platform: | |||
| Assigned To: | ferg | OS: | |||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | 3.2.1 | ||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 4.0.0 | ||
|
|
|||||
| Summary: | 0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!) | ||||
| Description: |
I run Resin as root with the following passage in the server-default section in resin.xml: <resin:if test="${resin.userName=='root'}"> <user-name>httpd</user-name> <group-name>httpd</group-name> </resin:if> Thus resin should run as user httpd in group httpd. Then I run the following PHP file from within Quercus: <?php header("Content-Type: text/plain"); echo `id`; ?> The output is: uid=1003(httpd) gid=1003(httpd) groups=0(root) The expected output would be: uid=1003(httpd) gid=1003(httpd) groups=1003(httpd) The problem means that although Resin is running as user httpd and primary group httpd, it still belongs to group root (!). This is dangerous! (!) There may be lots of sensitive files on a server system which may be read or even modified by members of the root group. I didn't check if this access is actually possible. However I would assume it. Fixing this bug is STRONGLY recommended for security reasons. |
||||
| Steps To Reproduce: | |||||
| Additional Information: | |||||
| Relationships | |||||
| Attached Files: | |||||
| There are no notes attached to this issue. |