Package: lighttpd Version: 1.4.55-1 Severity: wishlist Tags: patch Dear Maintainer,
While improving my SELinux policy, I've stumbled across the cron job installed by lighttpd. It's usage of 'su' to run commands under the 'www-data' isn't optimal: Excerpt from su(1) > su is mostly designed for unprivileged users, the recommended solution for > privileged users (e.g. scripts executed by root) is to use non-set-user-ID > command runuser(1) that does not require authentication and provide separate > PAM configuration. If the PAM session is not required at all then the > recommend solution is to use command setpriv(1). This also causes a full session to be started, along with 'systemd --user', socket activation and possibly services starting under the 'www-data' user. I've attached my modified crontab, that uses 'runuser' instread of 'su', this results in no session being started. - bauen1 -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect LSM: SELinux: enabled - Mode: Enforcing - Policy name: refpolicy Versions of packages lighttpd depends on: hi libattr1 1:2.4.48-5 hi libbz2-1.0 1.0.8-2 ii libc6 2.30-4 ii libcrypt1 1:4.4.16-1 hi libfam0 2.7.0-17.3 hi libpcre3 2:8.39-12+b1 ii libssl1.1 1.1.1g-1 ii lsb-base 11.1.0 ii mime-support 3.64 hi zlib1g 1:1.2.11.dfsg-2 Versions of packages lighttpd recommends: ii perl 5.30.0-10 ii spawn-fcgi 1.6.4-2 Versions of packages lighttpd suggests: ii apache2-utils 2.4.43-1 pn lighttpd-doc <none> pn lighttpd-mod-authn-gssapi <none> pn lighttpd-mod-authn-pam <none> pn lighttpd-mod-authn-sasl <none> pn lighttpd-mod-cml <none> pn lighttpd-mod-geoip <none> pn lighttpd-mod-magnet <none> pn lighttpd-mod-maxminddb <none> pn lighttpd-mod-trigger-b4-dl <none> pn lighttpd-mod-vhostdb-dbi <none> pn lighttpd-mod-vhostdb-pgsql <none> pn lighttpd-mod-webdav <none> ii lighttpd-modules-ldap 1.4.55-1 ii lighttpd-modules-mysql 1.4.55-1 ii openssl 1.1.1g-1 pn php-cgi <none> pn rrdtool <none> -- Configuration Files: /etc/cron.daily/lighttpd changed: # this might not be required: # under my test setup find (www-data) failed to change directory out of /root # this might have been due SELinux or DAC cd / cache=/var/cache/lighttpd if test -d "$cache/compress"; then runuser -u www-data -- /bin/sh -c "find $cache/compress -type f -atime +30 -print0 | xargs -0 -r rm" fi if test -d "$cache/uploads"; then runuser -u www-data -- /bin/sh -c "find $cache/uploads -type f -atime +1 -print0 | xargs -0 -r rm" fi /etc/init.d/lighttpd [Errno 13] Permission denied: '/etc/init.d/lighttpd' /etc/lighttpd/conf-available/05-auth.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/05-auth.conf' /etc/lighttpd/conf-available/05-setenv.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/05-setenv.conf' /etc/lighttpd/conf-available/10-accesslog.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-accesslog.conf' /etc/lighttpd/conf-available/10-cgi.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-cgi.conf' /etc/lighttpd/conf-available/10-dir-listing.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-dir-listing.conf' /etc/lighttpd/conf-available/10-evasive.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-evasive.conf' /etc/lighttpd/conf-available/10-evhost.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-evhost.conf' /etc/lighttpd/conf-available/10-expire.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-expire.conf' /etc/lighttpd/conf-available/10-fastcgi.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-fastcgi.conf' /etc/lighttpd/conf-available/10-flv-streaming.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-flv-streaming.conf' /etc/lighttpd/conf-available/10-no-www.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-no-www.conf' /etc/lighttpd/conf-available/10-proxy.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-proxy.conf' /etc/lighttpd/conf-available/10-rewrite.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-rewrite.conf' /etc/lighttpd/conf-available/10-rrdtool.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-rrdtool.conf' /etc/lighttpd/conf-available/10-simple-vhost.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-simple-vhost.conf' /etc/lighttpd/conf-available/10-sockproxy.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-sockproxy.conf' /etc/lighttpd/conf-available/10-ssi.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-ssi.conf' /etc/lighttpd/conf-available/10-ssl.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-ssl.conf' /etc/lighttpd/conf-available/10-status.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-status.conf' /etc/lighttpd/conf-available/10-userdir.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-userdir.conf' /etc/lighttpd/conf-available/10-usertrack.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/10-usertrack.conf' /etc/lighttpd/conf-available/11-extforward.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/11-extforward.conf' /etc/lighttpd/conf-available/15-fastcgi-php.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/15-fastcgi-php.conf' /etc/lighttpd/conf-available/90-debian-doc.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/90-debian-doc.conf' /etc/lighttpd/conf-available/99-unconfigured.conf [Errno 13] Permission denied: '/etc/lighttpd/conf-available/99-unconfigured.conf' /etc/lighttpd/conf-available/README [Errno 13] Permission denied: '/etc/lighttpd/conf-available/README' /etc/lighttpd/lighttpd.conf [Errno 13] Permission denied: '/etc/lighttpd/lighttpd.conf' -- no debconf information
