Bug 123165 â Permissions setup option for bugzilla_user==webserver_user (suexec).
Patch by Marc Schumann <wurblzap@gmail.com>; r/a=mkanat git-svn-id: svn://10.0.0.236/trunk@256806 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
wurblzap%gmail.com
parent
67ffe2b343
commit
a64d1e10fb
@ -51,10 +51,10 @@ our @EXPORT = qw(
|
|||||||
# a perldoc. However, look at the various hashes defined inside this
|
# a perldoc. However, look at the various hashes defined inside this
|
||||||
# function to understand what it returns. (There are comments throughout.)
|
# function to understand what it returns. (There are comments throughout.)
|
||||||
#
|
#
|
||||||
# The rationale for the file permissions is that the web server generally
|
# The rationale for the file permissions is that there is a group the
|
||||||
# runs as apache, so the cgi scripts should not be writable for apache,
|
# web server executes the scripts as, so the cgi scripts should not be writable
|
||||||
# otherwise someone may find it possible to change the cgis when exploiting
|
# by this group. Otherwise someone may find it possible to change the cgis
|
||||||
# some security flaw somewhere (not necessarily in Bugzilla!)
|
# when exploiting some security flaw somewhere (not necessarily in Bugzilla!)
|
||||||
sub FILESYSTEM {
|
sub FILESYSTEM {
|
||||||
my $datadir = bz_locations()->{'datadir'};
|
my $datadir = bz_locations()->{'datadir'};
|
||||||
my $attachdir = bz_locations()->{'attachdir'};
|
my $attachdir = bz_locations()->{'attachdir'};
|
||||||
@ -67,6 +67,7 @@ sub FILESYSTEM {
|
|||||||
my $localconfig = bz_locations()->{'localconfig'};
|
my $localconfig = bz_locations()->{'localconfig'};
|
||||||
|
|
||||||
my $ws_group = Bugzilla->localconfig->{'webservergroup'};
|
my $ws_group = Bugzilla->localconfig->{'webservergroup'};
|
||||||
|
my $use_suexec = Bugzilla->localconfig->{'use_suexec'};
|
||||||
|
|
||||||
# The set of permissions that we use:
|
# The set of permissions that we use:
|
||||||
|
|
||||||
@ -76,7 +77,7 @@ sub FILESYSTEM {
|
|||||||
# Executable by the owner only.
|
# Executable by the owner only.
|
||||||
my $owner_executable = 0700;
|
my $owner_executable = 0700;
|
||||||
# Readable by the web server.
|
# Readable by the web server.
|
||||||
my $ws_readable = $ws_group ? 0640 : 0644;
|
my $ws_readable = ($ws_group && !$use_suexec) ? 0640 : 0644;
|
||||||
# Readable by the owner only.
|
# Readable by the owner only.
|
||||||
my $owner_readable = 0600;
|
my $owner_readable = 0600;
|
||||||
# Writeable by the web server.
|
# Writeable by the web server.
|
||||||
@ -84,7 +85,7 @@ sub FILESYSTEM {
|
|||||||
|
|
||||||
# DIRECTORIES
|
# DIRECTORIES
|
||||||
# Readable by the web server.
|
# Readable by the web server.
|
||||||
my $ws_dir_readable = $ws_group ? 0750 : 0755;
|
my $ws_dir_readable = ($ws_group && !$use_suexec) ? 0750 : 0755;
|
||||||
# Readable only by the owner.
|
# Readable only by the owner.
|
||||||
my $owner_dir_readable = 0700;
|
my $owner_dir_readable = 0700;
|
||||||
# Writeable by the web server.
|
# Writeable by the web server.
|
||||||
|
|||||||
@ -67,9 +67,11 @@ EOT
|
|||||||
{
|
{
|
||||||
name => 'webservergroup',
|
name => 'webservergroup',
|
||||||
default => ON_WINDOWS ? '' : 'apache',
|
default => ON_WINDOWS ? '' : 'apache',
|
||||||
desc => q{# This is the group your web server runs as.
|
desc => q{# Usually, this is the group your web server runs as.
|
||||||
# If you have a Windows box, ignore this setting.
|
# If you have a Windows box, ignore this setting.
|
||||||
# If you do not have access to the group your web server runs under,
|
# If you have use_suexec switched on below, this is the group Apache switches
|
||||||
|
# to in order to run Bugzilla scripts.
|
||||||
|
# If you do not have access to the group your scripts will run under,
|
||||||
# set this to "". If you do set this to "", then your Bugzilla installation
|
# set this to "". If you do set this to "", then your Bugzilla installation
|
||||||
# will be _VERY_ insecure, because some files will be world readable/writable,
|
# will be _VERY_ insecure, because some files will be world readable/writable,
|
||||||
# and so anyone who can get local access to your machine can do whatever they
|
# and so anyone who can get local access to your machine can do whatever they
|
||||||
@ -77,6 +79,21 @@ EOT
|
|||||||
# and you cannot set this up any other way. YOU HAVE BEEN WARNED!
|
# and you cannot set this up any other way. YOU HAVE BEEN WARNED!
|
||||||
# If you set this to anything other than "", you will need to run checksetup.pl
|
# If you set this to anything other than "", you will need to run checksetup.pl
|
||||||
# as} . ROOT_USER . qq{, or as a user who is a member of the specified group.\n}
|
# as} . ROOT_USER . qq{, or as a user who is a member of the specified group.\n}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name => 'use_suexec',
|
||||||
|
default => 0,
|
||||||
|
desc => <<EOT
|
||||||
|
# Set this if Bugzilla runs in an Apache SuexecUserGroup environment.
|
||||||
|
# (If your web server runs control panel software (cPanel, Plesk or similar),
|
||||||
|
# or if your Bugzilla is to run in a shared hosting environment, then you are
|
||||||
|
# almost certainly in an Apache SuexecUserGroup environment.)
|
||||||
|
# If you have a Windows box, ignore this setting.
|
||||||
|
# If set to 0, Bugzilla will set file permissions as tightly as possible.
|
||||||
|
# If set to 1, Bugzilla will set file permissions so that it may work in an
|
||||||
|
# SuexecUserGroup environment. The difference is that static files (CSS,
|
||||||
|
# JavaScript and so on) will receive world read permissions.
|
||||||
|
EOT
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name => 'db_driver',
|
name => 'db_driver',
|
||||||
|
|||||||
@ -59,7 +59,8 @@ my $webgroupnum = 0;
|
|||||||
my $webservergroup = Bugzilla->localconfig->{webservergroup};
|
my $webservergroup = Bugzilla->localconfig->{webservergroup};
|
||||||
if ($webservergroup =~ /^(\d+)$/) {
|
if ($webservergroup =~ /^(\d+)$/) {
|
||||||
$webgroupnum = $1;
|
$webgroupnum = $1;
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
eval { $webgroupnum = (getgrnam $webservergroup) || 0; };
|
eval { $webgroupnum = (getgrnam $webservergroup) || 0; };
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -70,16 +71,19 @@ if ($sgid > 0) {
|
|||||||
"WARNING \$webservergroup is set to an empty string.
|
"WARNING \$webservergroup is set to an empty string.
|
||||||
That is a very insecure practice. Please refer to the
|
That is a very insecure practice. Please refer to the
|
||||||
Bugzilla documentation.\n";
|
Bugzilla documentation.\n";
|
||||||
} elsif ($webgroupnum == $sgid) {
|
}
|
||||||
|
elsif ($webgroupnum == $sgid || Bugzilla->localconfig->{use_suexec}) {
|
||||||
print "TEST-OK Webserver is running under group id in \$webservergroup.\n";
|
print "TEST-OK Webserver is running under group id in \$webservergroup.\n";
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
print
|
print
|
||||||
"TEST-WARNING Webserver is running under group id not matching \$webservergroup.
|
"TEST-WARNING Webserver is running under group id not matching \$webservergroup.
|
||||||
This if the tests below fail, this is probably the problem.
|
This if the tests below fail, this is probably the problem.
|
||||||
Please refer to the web server configuration section of the Bugzilla guide.
|
Please refer to the web server configuration section of the Bugzilla guide.
|
||||||
If you are using virtual hosts or suexec, this warning may not apply.\n";
|
If you are using virtual hosts or suexec, this warning may not apply.\n";
|
||||||
}
|
}
|
||||||
} elsif ($^O !~ /MSWin32/i) {
|
}
|
||||||
|
elsif ($^O !~ /MSWin32/i) {
|
||||||
print
|
print
|
||||||
"TEST-WARNING Failed to find the GID for the 'httpd' process, unable
|
"TEST-WARNING Failed to find the GID for the 'httpd' process, unable
|
||||||
to validate webservergroup.\n";
|
to validate webservergroup.\n";
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user