Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 11835 - Updated privoxy ebuild
Summary: Updated privoxy ebuild
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Seemant Kulleen (RETIRED)
URL:
Whiteboard:
Keywords:
: 7163 (view as bug list)
Depends on:
Blocks:
 
Reported: 2002-12-09 06:12 UTC by fbusse
Modified: 2003-02-04 19:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Privoxy 3.0.0 ebuild (privoxy.tar.gz,2.56 KB, application/gzip)
2002-12-09 06:12 UTC, fbusse 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fbusse 2002-12-09 06:12:07 UTC 
Sorry for commiting this again, but there has been no response from any of the
developers on #7163 for over 3 months and it didn't appear in portage.
I guess another person is now responsible for privoxy.
This ebuild bumps the version to 3.0.0 and fixes some bugs, especially that one
that made privoxy not running as privoxy.privoxy but as root.root.
Comment 1 fbusse 2002-12-09 06:12:47 UTC 
Created attachment 6333 [details]
Privoxy 3.0.0 ebuild
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2002-12-10 01:30:49 UTC 
*** Bug 7163 has been marked as a duplicate of this bug. ***
Comment 3 Georg Sauthoff 2002-12-10 02:44:27 UTC 
Hi Seamant,  actually this bug is a duplicate of (#7163).  And BTW are there any reasons, why since privoxy 2.9.14_beta every of my comitted privoxy ebuilds was not commented neither committed to the portage tree by gentoo officials?  Hi Fridtjof,  I didn't answer your comment beause I was really busy at this time and I only read "gentoo developers", and I thought I wasn't mean with this, beacuse I am not an official gentoo dev.  And for the reasons why it is not committed since so long time (and not even as ~86) I really don't know. I have committed several ebuilds for privoxy versions > 2.9.14 (includining the initial 2.4.19_beta) and haven't get any comment from official devs (see above).  Regards
Comment 4 Bardur Arantsson 2002-12-10 02:45:10 UTC 
Permissions on /etc/privoxy are incorrect (and quite possibly on other files  
too). They are installed as owned by "privoxy.privoxy". This is a *HUGE*  
security risk, since the configuration specifies log files, etc. and privoxy  
only changes uid *AFTER* having read the configuration file.  
  
This enables any user which compromises the "privoxy" user/group (or the  
daemon itself) to change the UID of the privoxy daemon to any other user  
(including root) simply by changing the configuration setting. This could  
quite possibly also be exploited to overwrite logfiles by using the "log file"  
configuration directives.  
  
My proposed solution:  
  
Change permissions on /etc/privoxy so that:  
  
- root owns the directory, but "privoxy" group has read+execute.  
- root owns the config files.  
- privoxy.privoxy owns the rest of the config files (not absolutely sure, but  
if privoxy changes UID after reading the main config it should be safe).  
  
This will probably cause problems with the "live" editing of configurations  
that privoxy has built-in, but I think changing the permissions is the only  
reasonable thing in light of such a security risk. A way around the live  
editing thing would be to create a sub-directory within /etc/privoxy, where  
all the editable files reside and which could safely be set to being owned by  
"privoxy". I haven't got the time to do this, but it would probably solve  
these problems once and for all.
Comment 5 Seemant Kulleen (RETIRED) gentoo-dev 2002-12-10 02:55:58 UTC 
I'll take care of this one myself.
Comment 6 Seemant Kulleen (RETIRED) gentoo-dev 2002-12-14 19:13:38 UTC 
added to portage.
Comment 7 Seemant Kulleen (RETIRED) gentoo-dev 2002-12-14 19:14:01 UTC 
added to portage