Bug 144335

Summary:	www-servers/thttpd Change in start-stop-daemon causes security-problem with thttpd
Product:	Gentoo Security	Reporter:	Christian Gut <cycloon>
Component:	Default Configs	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jakub, www-servers+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	142047
Bug Blocks:

Description Christian Gut 2006-08-18 10:34:43 UTC

In one of the newer versions of baselayout (I had sys-apps/baselayout-1.12.4-r6), the default behaviour of start-stop-daemon was changed. It now always does chdir to / if parameter --chdir is not specified.

First of all, i found nothing about this new behaviour documented. Neither in the man page nor in the ChangeLog in the tree.

Secondly, this causes thttpd (and others?) to display / (yes, the whole root filesystem). That is because thttpd always serves the current directory and therefor the init-script does a cd to the configured directory just before calling start-stop-daemon.

As a result of this, it served my whole data for a few days.

Beside finding it annoying to find such changes without documentation, I think other users should be warned about this security problem.

Additionally, this incident also happened before! It is documented in the ChangeLog of bayelayout and in bug #50434.

To get back to the technical aspect, i really dont understand, why start-stop-daemon should chdir somewhere without having chdir specified. As this option exists users might think, that only with that option does a chdir. So I suggest again to revert to the old behaviour.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-19 08:55:48 UTC

Seems like a potential security issue, reassigning to security.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-19 08:56:55 UTC

And now hopefully reassigning....

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-19 08:57:22 UTC

base-system please advise (and sorry for the spam).

Comment 4 SpanKY gentoo-dev

2006-08-20 00:51:48 UTC

yes, this change is deliberate as that is what the upstream guys (Debian) did:
-static const char *changedir = NULL;
+static const char *changedir = "/";

this is a bug in thttpd, not in start-stop-daemon

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-20 06:42:52 UTC

www-servers please advise.

Comment 6 Daniel Drake (RETIRED) gentoo-dev

2006-09-06 07:33:52 UTC

thttpd fixed, you can probably close this bug if there are no other known affected packages

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-06 07:36:13 UTC

Thx Daniel.

Closing this one as FIXED.