| Summary: | www-servers/cherokee runs as root by default | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Wicher Minnaard <wicher> |
| Component: | [OLD] Server | Assignee: | www-servers Herd (OBSOLETE) <www-servers+disabled> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bass |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Fixed in new version in CVS |
www-servers/cherokee runs as root by default (tested on cherokee-0.98.1). The ebuild does a enewgroup cherokee enewuser cherokee -1 -1 /var/www/localhost cherokee so I guess the intended behaviour is to run as user 'cherokee'. Adding server!user = cherokee server!group = cherokee to /etc/cherokee/cherokee.conf fixes this. In the default configuration, these variables are absent, causing cherokee to run as the invoking user. Reproducible: Always Steps to Reproduce: 1. Emerge cherokee-0.98.1 2. Put a textfile readable only by root in /var/www/localhost/htdocs 3. Access said file via the webserver Actual Results: File contents are displayed. Expected Results: File contents should not be displayed. A 403 should be displayed. Gotcha for testing: By default, cherokee does io-caching. Fiddling with permissions with the IO-cache on gives unexpected results. Disable the cache, or restart cherokee between each test.