Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142047 - www-servers/thttpd init script/config file fails to set docroot
Summary: www-servers/thttpd init script/config file fails to set docroot
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: www-servers Herd (OBSOLETE)
Depends on:
Blocks: 144335
  Show dependency tree
Reported: 2006-07-28 16:38 UTC by Laurence Withers
Modified: 2007-02-10 18:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

strace session (strace,44.90 KB, text/plain)
2006-07-28 16:40 UTC, Laurence Withers
thttpd init.d patch (patch,743 bytes, patch)
2006-09-06 07:17 UTC, Daniel Drake (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Laurence Withers 2006-07-28 16:38:54 UTC
The thttpd init script and config file fail to set the correct docroot for thttpd (thttpd's docroot is, unless explicitly given, taken to be the current working directory from where it is launched).

I have specified (e.g.) THTTPD_DOCROOT="/var/www/localhost" in /etc/conf.d/thttpd; the init script then does a chdir to this directory prior to running start-stop-daemon (and I verified this was the case with a suitably-placed "pwd").

If I run the server manually, i.e. "cd /var/www/localhost; /usr/sbin/thttpd -C /etc/conf.d/thttpd" then all works as expected, and it uses the cwd as the docroot. If, however, I use the init script (or cd manually and launch thttpd through start-stop-daemon) then the server fails to find its documents.

An strace session shows that the last thing start-stop-daemon does before executing thttpd is to change directory to / -- so this is clearly the cause of the problem.

A quick fix is to ignore the THTTPD_DOCROOT variable (as long as it's set to something that does exist) and to instead specify "dir=/var/www/localhost" in the thttpd config file (or use the equivalent commandline option).
Comment 1 Laurence Withers 2006-07-28 16:40:01 UTC
Created attachment 92964 [details]
strace session

On line 33, you can see a chdir("/"); on line 34, you can see start-stop-daemon execute thttpd.
Comment 2 Daniel Drake (RETIRED) gentoo-dev 2006-09-06 07:17:45 UTC
Created attachment 96170 [details, diff]
thttpd init.d patch

ebuild should also be bumped
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2006-09-06 07:33:05 UTC
in portage
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2007-01-25 07:21:50 UTC
I just stumbled over this and have some news :)

This only seems to happen with newer baselayout versions (and thus, start-stop-daemon versions):

--chdir or dir= in config not necessary with:

--chdir or dir= in config not necessary with:
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2007-01-25 07:25:00 UTC

(In reply to comment #4)
> --chdir or dir= in config not necessary with:
>   =sys-apps/baselayout-1.11.14-r6
> --chdir or dir= in config not necessary with:
>   =sys-apps/baselayout-1.12.6

the second 'not' is misplaced :)
so --chdir or dir= in config *are* necessary with newer baselayouts.

this issue just opened up a root (/) on one webserver I am taking care of!
so, older versions of the thttpd package combined with newer versions
of baselayout open up a f***ing big security hole! :-(

@security: please think about issuing a GLSA for older thttpd package versions. we must not leave the user alone here.
Comment 6 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-01-26 12:40:51 UTC
Requesting GLSA...
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 18:59:04 UTC
old GLSA 200701-28