Your message dated Thu, 1 Jul 2004 11:37:10 +0200 (CEST) with message-id <[EMAIL PROTECTED]> and subject line Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 1 Jul 2004 09:03:09 +0000 >From [EMAIL PROTECTED] Thu Jul 01 02:03:09 2004 Return-path: <[EMAIL PROTECTED]> Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1BfxTJ-0004Kb-00; Thu, 01 Jul 2004 02:03:09 -0700 Received: (qmail 16458 invoked by uid 1013); 1 Jul 2004 09:03:07 -0000 Date: Thu, 1 Jul 2004 11:03:07 +0200 From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: apache: /var/lib/apache/mod-bandwidth/ is world writable Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040523i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache-common Version: 1.3.31-1 Priority: important Tags: security I cannot really understand why this is needed: $ ls -la /var/lib/apache/mod-bandwidth/ total 16 drwxrwxrwx 4 www-data www-data 4096 2003-10-20 21:53 . drwxr-xr-x 3 root root 4096 2003-10-20 21:53 .. drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 link drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 master README.mod_bandwidth just says: No documentation available! So, is there any reason why mod-bandwith files should be writable by all=20 users? I'm tagging this security because directories writable by all users open up a can of worms (partition DoS attacks, symlink and hard link attacks) and administrators do not expect Debian packages to create those without a good enough reason. Also, directories writable by all users (such as /tmp/ or /var/tmp) should be created with the sticky bit. Regards Javier --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA49NLi4sehJTrj0oRAjy9AKCk1ez4VoP0hR9q1Ii4VB5oEEhCCgCbB4a3 OUXBG4g1aSqZKZb8CLGE0i4= =Ix/V -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- --------------------------------------- Received: (at 257108-done) by bugs.debian.org; 1 Jul 2004 09:37:20 +0000 >From [EMAIL PROTECTED] Thu Jul 01 02:37:20 2004 Return-path: <[EMAIL PROTECTED]> Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Bfy0O-0005oZ-00; Thu, 01 Jul 2004 02:37:20 -0700 Received: from localhost (localhost [127.0.0.1]) by trider-g7.fabbione.net (Postfix) with ESMTP id 16766E86; Thu, 1 Jul 2004 11:37:17 +0200 (CEST) Received: from trider-g7.fabbione.net ([127.0.0.1]) by localhost (trider-g7 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 10077-06-2; Thu, 1 Jul 2004 11:37:10 +0200 (CEST) Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82]) by trider-g7.fabbione.net (Postfix) with ESMTP id 6A7F4E7F; Thu, 1 Jul 2004 11:37:10 +0200 (CEST) Date: Thu, 1 Jul 2004 11:37:10 +0200 (CEST) From: Fabio Massimo Di Nitto <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: =?iso-8859-1?Q?Javier_Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Cc: Debian Apache Maintainers <debian-apache@lists.debian.org> Subject: Re: Bug#257108: apache: /var/lib/apache/mod-bandwidth/ is world writable In-Reply-To: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at fabbione.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: This has been discussed before several time. Here is one: http://lists.debian.org/debian-apache/2004/02/msg00045.html On Thu, 1 Jul 2004, Javier Fern=E1ndez-Sanguino Pe=F1a wrote: > Package: apache-common > Version: 1.3.31-1 > Priority: important > Tags: security > > I cannot really understand why this is needed: > > $ ls -la /var/lib/apache/mod-bandwidth/ > total 16 > drwxrwxrwx 4 www-data www-data 4096 2003-10-20 21:53 . > drwxr-xr-x 3 root root 4096 2003-10-20 21:53 .. > drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 link > drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 master > > README.mod_bandwidth just says: > > No documentation available! It is in the source code. > > So, is there any reason why mod-bandwith files should be writable by all > users? * 3) Create the following directories with "rwx" permission to everybody : * /tmp/apachebw * /tmp/apachebw/link * /tmp/apachebw/master * * Note that if any of those directories doesn't exist, or if they can't * be accessed by the server, the module is totaly disabled except for * logging an error message in the logfile. Fabio --=20 <user> fajita: step one <fajita> Whatever the problem, step one is always to look in the error log. <user> fajita: step two <fajita> When in danger or in doubt, step two is to scream and shout.