Mantis - Resin
Viewing Issue Advanced Details
3330 major always 02-09-09 02:02 03-18-09 11:07
closed 3.2.1  
none 4.0.0  
0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!)
I run Resin as root with the following passage in the server-default section in resin.xml:

<resin:if test="${resin.userName=='root'}">

Thus resin should run as user httpd in group httpd.

Then I run the following PHP file from within Quercus:

header("Content-Type: text/plain");
echo `id`;

The output is:
uid=1003(httpd) gid=1003(httpd) groups=0(root)

The expected output would be:
uid=1003(httpd) gid=1003(httpd) groups=1003(httpd)

The problem means that although Resin is running as user httpd and primary group httpd, it still belongs to group root (!). This is dangerous! (!) There may be lots of sensitive files on a server system which may be read or even modified by members of the root group.
I didn't check if this access is actually possible. However I would assume it.

Fixing this bug is STRONGLY recommended for security reasons.

There are no notes attached to this issue.