Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 259694 - www-servers/cherokee runs as root by default
Summary: www-servers/cherokee runs as root by default
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: www-servers Herd (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-20 11:36 UTC by Wicher Minnaard
Modified: 2009-04-01 12:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wicher Minnaard 2009-02-20 11:36:54 UTC 
www-servers/cherokee runs as root by default (tested on cherokee-0.98.1). The ebuild does a 
        enewgroup cherokee
        enewuser cherokee -1 -1 /var/www/localhost cherokee
so I guess the intended behaviour is to run as user 'cherokee'.
Adding
        server!user = cherokee
        server!group = cherokee
to /etc/cherokee/cherokee.conf fixes this. In the default configuration, these variables are absent, causing cherokee to run as the invoking user.

Reproducible: Always

Steps to Reproduce:
1. Emerge cherokee-0.98.1
2. Put a textfile readable only by root in /var/www/localhost/htdocs
3. Access said file via the webserver

Actual Results:  
File contents are displayed.

Expected Results:  
File contents should not be displayed. A 403 should be displayed.

Gotcha for testing: By default, cherokee does io-caching. Fiddling with permissions with the IO-cache on gives unexpected results. Disable the cache, or restart cherokee between each test.
Comment 1 José Alberto Suárez López (RETIRED) gentoo-dev 2009-04-01 12:53:05 UTC 
Fixed in new version in CVS