Anonymous | Login | Signup for a new account | 10-08-2024 13:46 PDT |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0003330 | [Resin] | major | always | 02-09-09 02:02 | 03-18-09 11:07 | ||||
Reporter | tlandmann | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 3.2.1 | ||||||
Summary | 0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!) | ||||||||
Description |
I run Resin as root with the following passage in the server-default section in resin.xml: <resin:if test="${resin.userName=='root'}"> <user-name>httpd</user-name> <group-name>httpd</group-name> </resin:if> Thus resin should run as user httpd in group httpd. Then I run the following PHP file from within Quercus: <?php header("Content-Type: text/plain"); echo `id`; ?> The output is: uid=1003(httpd) gid=1003(httpd) groups=0(root) The expected output would be: uid=1003(httpd) gid=1003(httpd) groups=1003(httpd) The problem means that although Resin is running as user httpd and primary group httpd, it still belongs to group root (!). This is dangerous! (!) There may be lots of sensitive files on a server system which may be read or even modified by members of the root group. I didn't check if this access is actually possible. However I would assume it. Fixing this bug is STRONGLY recommended for security reasons. |
||||||||
Additional Information | |||||||||
Attached Files | |||||||||
|
There are no notes attached to this issue. |
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
27 total queries executed. 25 unique queries executed. |