aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwurblzap%gmail.com <>2009-04-03 08:03:13 +0000
committerwurblzap%gmail.com <>2009-04-03 08:03:13 +0000
commitf9a7938b592a1d95fc718c2b86cf90506615b675 (patch)
treef9f1bf1140524cc5b7d13e5ffb6964fbf9d382d7
parentBug 477420 - "Rename some of the token names used in attachment.cgi" [p=reed ... (diff)
downloadgentoo-bugzilla-f9a7938b592a1d95fc718c2b86cf90506615b675.tar.gz
gentoo-bugzilla-f9a7938b592a1d95fc718c2b86cf90506615b675.tar.bz2
gentoo-bugzilla-f9a7938b592a1d95fc718c2b86cf90506615b675.zip
Bug 123165 – Permissions setup option for bugzilla_user==webserver_user (suexec).
Patch by Marc Schumann <wurblzap@gmail.com>; r/a=mkanat
-rw-r--r--Bugzilla/Install/Filesystem.pm13
-rw-r--r--Bugzilla/Install/Localconfig.pm21
-rwxr-xr-xtestserver.pl12
3 files changed, 34 insertions, 12 deletions
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 17129b2ab..4cbbd57cc 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -51,10 +51,10 @@ our @EXPORT = qw(
# a perldoc. However, look at the various hashes defined inside this
# function to understand what it returns. (There are comments throughout.)
#
-# The rationale for the file permissions is that the web server generally
-# runs as apache, so the cgi scripts should not be writable for apache,
-# otherwise someone may find it possible to change the cgis when exploiting
-# some security flaw somewhere (not necessarily in Bugzilla!)
+# The rationale for the file permissions is that there is a group the
+# web server executes the scripts as, so the cgi scripts should not be writable
+# by this group. Otherwise someone may find it possible to change the cgis
+# when exploiting some security flaw somewhere (not necessarily in Bugzilla!)
sub FILESYSTEM {
my $datadir = bz_locations()->{'datadir'};
my $attachdir = bz_locations()->{'attachdir'};
@@ -67,6 +67,7 @@ sub FILESYSTEM {
my $localconfig = bz_locations()->{'localconfig'};
my $ws_group = Bugzilla->localconfig->{'webservergroup'};
+ my $use_suexec = Bugzilla->localconfig->{'use_suexec'};
# The set of permissions that we use:
@@ -76,7 +77,7 @@ sub FILESYSTEM {
# Executable by the owner only.
my $owner_executable = 0700;
# Readable by the web server.
- my $ws_readable = $ws_group ? 0640 : 0644;
+ my $ws_readable = ($ws_group && !$use_suexec) ? 0640 : 0644;
# Readable by the owner only.
my $owner_readable = 0600;
# Writeable by the web server.
@@ -84,7 +85,7 @@ sub FILESYSTEM {
# DIRECTORIES
# Readable by the web server.
- my $ws_dir_readable = $ws_group ? 0750 : 0755;
+ my $ws_dir_readable = ($ws_group && !$use_suexec) ? 0750 : 0755;
# Readable only by the owner.
my $owner_dir_readable = 0700;
# Writeable by the web server.
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm
index 5cd7755e8..971064722 100644
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -67,9 +67,11 @@ EOT
{
name => 'webservergroup',
default => ON_WINDOWS ? '' : 'apache',
- desc => q{# This is the group your web server runs as.
+ desc => q{# Usually, this is the group your web server runs as.
# If you have a Windows box, ignore this setting.
-# If you do not have access to the group your web server runs under,
+# If you have use_suexec switched on below, this is the group Apache switches
+# to in order to run Bugzilla scripts.
+# If you do not have access to the group your scripts will run under,
# set this to "". If you do set this to "", then your Bugzilla installation
# will be _VERY_ insecure, because some files will be world readable/writable,
# and so anyone who can get local access to your machine can do whatever they
@@ -79,6 +81,21 @@ EOT
# as} . ROOT_USER . qq{, or as a user who is a member of the specified group.\n}
},
{
+ name => 'use_suexec',
+ default => 0,
+ desc => <<EOT
+# Set this if Bugzilla runs in an Apache SuexecUserGroup environment.
+# (If your web server runs control panel software (cPanel, Plesk or similar),
+# or if your Bugzilla is to run in a shared hosting environment, then you are
+# almost certainly in an Apache SuexecUserGroup environment.)
+# If you have a Windows box, ignore this setting.
+# If set to 0, Bugzilla will set file permissions as tightly as possible.
+# If set to 1, Bugzilla will set file permissions so that it may work in an
+# SuexecUserGroup environment. The difference is that static files (CSS,
+# JavaScript and so on) will receive world read permissions.
+EOT
+ },
+ {
name => 'db_driver',
default => 'mysql',
desc => <<EOT
diff --git a/testserver.pl b/testserver.pl
index f7949948f..1e2af661a 100755
--- a/testserver.pl
+++ b/testserver.pl
@@ -59,7 +59,8 @@ my $webgroupnum = 0;
my $webservergroup = Bugzilla->localconfig->{webservergroup};
if ($webservergroup =~ /^(\d+)$/) {
$webgroupnum = $1;
-} else {
+}
+else {
eval { $webgroupnum = (getgrnam $webservergroup) || 0; };
}
@@ -70,16 +71,19 @@ if ($sgid > 0) {
"WARNING \$webservergroup is set to an empty string.
That is a very insecure practice. Please refer to the
Bugzilla documentation.\n";
- } elsif ($webgroupnum == $sgid) {
+ }
+ elsif ($webgroupnum == $sgid || Bugzilla->localconfig->{use_suexec}) {
print "TEST-OK Webserver is running under group id in \$webservergroup.\n";
- } else {
+ }
+ else {
print
"TEST-WARNING Webserver is running under group id not matching \$webservergroup.
This if the tests below fail, this is probably the problem.
Please refer to the web server configuration section of the Bugzilla guide.
If you are using virtual hosts or suexec, this warning may not apply.\n";
}
-} elsif ($^O !~ /MSWin32/i) {
+}
+elsif ($^O !~ /MSWin32/i) {
print
"TEST-WARNING Failed to find the GID for the 'httpd' process, unable
to validate webservergroup.\n";