The thttpd init script and config file fail to set the correct docroot for thttpd (thttpd's docroot is, unless explicitly given, taken to be the current working directory from where it is launched). I have specified (e.g.) THTTPD_DOCROOT="/var/www/localhost" in /etc/conf.d/thttpd; the init script then does a chdir to this directory prior to running start-stop-daemon (and I verified this was the case with a suitably-placed "pwd"). If I run the server manually, i.e. "cd /var/www/localhost; /usr/sbin/thttpd -C /etc/conf.d/thttpd" then all works as expected, and it uses the cwd as the docroot. If, however, I use the init script (or cd manually and launch thttpd through start-stop-daemon) then the server fails to find its documents. An strace session shows that the last thing start-stop-daemon does before executing thttpd is to change directory to / -- so this is clearly the cause of the problem. A quick fix is to ignore the THTTPD_DOCROOT variable (as long as it's set to something that does exist) and to instead specify "dir=/var/www/localhost" in the thttpd config file (or use the equivalent commandline option).
Created attachment 92964 [details] strace session On line 33, you can see a chdir("/"); on line 34, you can see start-stop-daemon execute thttpd.
Created attachment 96170 [details, diff] thttpd init.d patch ebuild should also be bumped
in portage
I just stumbled over this and have some news :) This only seems to happen with newer baselayout versions (and thus, start-stop-daemon versions): --chdir or dir= in config not necessary with: =sys-apps/baselayout-1.11.14-r6 --chdir or dir= in config not necessary with: =sys-apps/baselayout-1.12.6
whoops! (In reply to comment #4) > --chdir or dir= in config not necessary with: > =sys-apps/baselayout-1.11.14-r6 > > --chdir or dir= in config not necessary with: > =sys-apps/baselayout-1.12.6 the second 'not' is misplaced :) so --chdir or dir= in config *are* necessary with newer baselayouts. this issue just opened up a root (/) on one webserver I am taking care of! so, older versions of the thttpd package combined with newer versions of baselayout open up a f***ing big security hole! :-( @security: please think about issuing a GLSA for older thttpd package versions. we must not leave the user alone here.
Requesting GLSA...
old GLSA 200701-28