diff options
author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-06-24 18:58:56 +0200 |
---|---|---|
committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-06-24 18:58:56 +0200 |
commit | 92f35343a344dca4ff3c2998d999a0d23d943fcf (patch) | |
tree | 2110c7bd901583654fa825a031995f33c0ff3009 /Bugzilla/Install | |
parent | 15fd6fe4ead020f79f004dfb42ce2e1819aaeb0d (diff) | |
download | bugzilla-92f35343a344dca4ff3c2998d999a0d23d943fcf.tar.gz bugzilla-92f35343a344dca4ff3c2998d999a0d23d943fcf.tar.xz |
Bug 561797: (CVE-2010-0180) [SECURITY] checksetup.pl with $suexec=1 sets
localconfig as world readable
r=timello, a=mkanat
Diffstat (limited to 'Bugzilla/Install')
-rw-r--r-- | Bugzilla/Install/Filesystem.pm | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm index 4e2647dfb..9ee21ed35 100644 --- a/Bugzilla/Install/Filesystem.pm +++ b/Bugzilla/Install/Filesystem.pm @@ -75,6 +75,13 @@ sub FILESYSTEM { my $skinsdir = bz_locations()->{'skinsdir'}; my $localconfig = bz_locations()->{'localconfig'}; + # We want to set the permissions the same for all localconfig files + # across all PROJECTs, so we do something special with $localconfig, + # lower down in the permissions section. + if ($ENV{PROJECT}) { + $localconfig =~ s/\.\Q$ENV{PROJECT}\E$//; + } + my $ws_group = Bugzilla->localconfig->{'webservergroup'}; my $use_suexec = Bugzilla->localconfig->{'use_suexec'}; @@ -92,6 +99,9 @@ sub FILESYSTEM { # Writeable by the web server. my $ws_writeable = $ws_group ? 0660 : 0666; + # Script-readable files that should not be world-readable under suexec. + my $script_readable = $use_suexec ? 0640 : $ws_readable; + # DIRECTORIES # Readable by the web server. my $ws_dir_readable = ($ws_group && !$use_suexec) ? 0750 : 0755; @@ -129,6 +139,10 @@ sub FILESYSTEM { 'migrate.pl' => { perms => $owner_executable }, 'install-module.pl' => { perms => $owner_executable }, + # Set the permissions for localconfig the same across all + # PROJECTs. + $localconfig => { perms => $script_readable }, + "$localconfig.*" => { perms => $script_readable }, "$localconfig.old" => { perms => $owner_readable }, 'contrib/README' => { perms => $owner_readable }, |