Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 142047

Summary: www-servers/thttpd init script/config file fails to set docroot
Product: Gentoo Linux Reporter: Laurence Withers <l>
Component: New packagesAssignee: www-servers Herd (OBSOLETE) <www-servers+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: dsd, security, wschlich
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 144335    
Attachments: strace session
thttpd init.d patch

Description Laurence Withers 2006-07-28 16:38:54 UTC 
The thttpd init script and config file fail to set the correct docroot for thttpd (thttpd's docroot is, unless explicitly given, taken to be the current working directory from where it is launched).

I have specified (e.g.) THTTPD_DOCROOT="/var/www/localhost" in /etc/conf.d/thttpd; the init script then does a chdir to this directory prior to running start-stop-daemon (and I verified this was the case with a suitably-placed "pwd").

If I run the server manually, i.e. "cd /var/www/localhost; /usr/sbin/thttpd -C /etc/conf.d/thttpd" then all works as expected, and it uses the cwd as the docroot. If, however, I use the init script (or cd manually and launch thttpd through start-stop-daemon) then the server fails to find its documents.

An strace session shows that the last thing start-stop-daemon does before executing thttpd is to change directory to / -- so this is clearly the cause of the problem.

A quick fix is to ignore the THTTPD_DOCROOT variable (as long as it's set to something that does exist) and to instead specify "dir=/var/www/localhost" in the thttpd config file (or use the equivalent commandline option).
Comment 1 Laurence Withers 2006-07-28 16:40:01 UTC 
Created attachment 92964 [details]
strace session

On line 33, you can see a chdir("/"); on line 34, you can see start-stop-daemon execute thttpd.
Comment 2 Daniel Drake (RETIRED) gentoo-dev 2006-09-06 07:17:45 UTC 
Created attachment 96170 [details, diff]
thttpd init.d patch

ebuild should also be bumped
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2006-09-06 07:33:05 UTC 
in portage
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2007-01-25 07:21:50 UTC 
I just stumbled over this and have some news :)

This only seems to happen with newer baselayout versions (and thus, start-stop-daemon versions):

--chdir or dir= in config not necessary with:
  =sys-apps/baselayout-1.11.14-r6

--chdir or dir= in config not necessary with:
  =sys-apps/baselayout-1.12.6
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2007-01-25 07:25:00 UTC 
whoops!

(In reply to comment #4)
> --chdir or dir= in config not necessary with:
>   =sys-apps/baselayout-1.11.14-r6
> 
> --chdir or dir= in config not necessary with:
>   =sys-apps/baselayout-1.12.6

the second 'not' is misplaced :)
so --chdir or dir= in config *are* necessary with newer baselayouts.

this issue just opened up a root (/) on one webserver I am taking care of!
so, older versions of the thttpd package combined with newer versions
of baselayout open up a f***ing big security hole! :-(

@security: please think about issuing a GLSA for older thttpd package versions. we must not leave the user alone here.
Comment 6 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-01-26 12:40:51 UTC 
Requesting GLSA...
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 18:59:04 UTC 
old GLSA 200701-28