http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6094
Frère Sébastien Marie <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Frère Sébastien Marie <[email protected]> 2011-07-25 07:27:20 UTC --- (In reply to comment #10) > (In reply to comment #8) > > How about /var/tmp ? > Good idea. I submitted a revised patch. Could you do the signoff please? > Thanks. This patch present security issue. The "/var/tmp/modified_authorities" directory is create which unix mod to 777: so *every* user on the system could create (or remove) file in this directory. It permit also *any* user to arbitrary override a file owner by the webserver owner (generally www-data), using symlink-attack (see CWE-61, http://cwe.mitre.org/data/definitions/61.html) Please correct it. The directory should be created by installer (with root permission) to have owner set to: koha.www-data , and permissions to 2770. This permit the apache daemon to write in this directory (and only him), and permit koha user (the user which should run the crontab for update) to read and delete these files. I think a common directory for koha should be fine to be created (should be discuted on the ML) which good owner/permissions, and subdirectories for particular tasks (like this one). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
