Bugs item #1567943, was opened at 2006-09-29 20:41 Message generated for change (Settings changed) made by duncanwebb You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=446895&aid=1567943&group_id=46652
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: freevoweb Group: 1.5.x svn >Status: Pending Resolution: Fixed Priority: 5 Submitted By: John Molohan (johnmolohan) Assigned to: Nobody/Anonymous (nobody) Summary: Webserver: security issue, system wide root access Initial Comment: >From a posting to the devel list a while back this still applies to current svn. If it can't be patched then a massive warning should go into local_conf.py. Hi all, I recently found some security issues within the internal webserver of freevo that might be worth considuring, as the webserver can accsess all the files on a system that the user of the webserver process would (hopefully not root). Just try it out and type http://yourserver/library.rpy/etc/passwd or whatever. I think, the webserver should be restricted to access only files underneath certain directories (at least one). Greetings and keep on coding such good stuff, Andreas ---------------------------------------------------------------------- Comment By: John Molohan (johnmolohan) Date: 2006-09-30 15:14 Message: Logged In: YES user_id=774680 Tested and confirmed working although I get: name 'pwd' is not defined when starting the webserver. ---------------------------------------------------------------------- Comment By: Duncan Webb (duncanwebb) Date: 2006-09-30 13:08 Message: Logged In: YES user_id=104395 Should have tested this against the correct host!!! and checked the correct log. http://freevoserver:8080/library.rpy/etc/passwd Forbidden Resource Sorry, resource is forbidden. What need setting up is a user, group and the user needs write permissions to the log. So local_conf.py: WWW_SERVER_UID=80 WWW_SERVER_GID=80 WWW_PORT = 8080 # non-root users can't access port 80 /etc/group: freevo:x:80: /etc/passwd: freevo:x:80:80:Freevo WWW User:/freevo:/bin/false ---------------------------------------------------------------------- Comment By: Duncan Webb (duncanwebb) Date: 2006-09-30 13:01 Message: Logged In: YES user_id=104395 Actually, didn't see the try it out bit even doing this the webserver still can access the /etc/shadow, etc. A but strange as I see the webserver running as a non-root user. Don't have another solution at the moment. Don't think it too high risk when the machine is not accessible from the internet. If it is connected then it could be a big problem. ---------------------------------------------------------------------- Comment By: Duncan Webb (duncanwebb) Date: 2006-09-30 12:39 Message: Logged In: YES user_id=104395 Actually, didn't see the try it out bit even doing this the webserver still can access the /etc/shadow, etc. A but strange as I see the webserver running as a non-root user. Don't have another solution at the moment. Don't think it too high risk when the machine is not accessible from the internet. If it is connected then it could be a big problem. ---------------------------------------------------------------------- Comment By: Duncan Webb (duncanwebb) Date: 2006-09-30 11:12 Message: Logged In: YES user_id=104395 Applied a fix in r8279 to run the webserver as a non-root user. The logic is exactly the same as the recordserver, it changes id on startup to the user and group specified in local_conf.py: e.g.: WWW_SERVER_UID=80 WWW_SERVER_GID=80 Not updated freevo_conf or example local_conf, waiting for some test results first. I seemed to works fine for me. ---------------------------------------------------------------------- Comment By: Michael Ruelle (mikeruelle) Date: 2006-09-29 21:39 Message: Logged In: YES user_id=849534 I think this mainly comes about when someone sets / as one of their items. we prolly want to just put in a thing to always disallow /etc and maybe a few other files. There is code in the library.py to make sure all files requested are below one of the items directories. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=446895&aid=1567943&group_id=46652 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Freevo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/freevo-devel
