Bug#485562: Proposed (not perfect) patch for NMU ?

Olivier Berger Tue, 10 Jun 2008 01:54:27 -0700

FYI, Here's a copy of the private message where I proposed a NMU to
address the problem.


As previously explained, it wouldn't add the user to the .htpasswd in
case of upgrades, in the current state, if I did test the right way, but
that should be better than nothing maybe.

Best regards,
-------- Message transféré --------
De: Olivier Berger <[EMAIL PROTECTED]>
À: Sven Dowideit <[EMAIL PROTECTED]>
Cc: Florian Weimer <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Sven Dowideit 
<[EMAIL PROTECTED]>, Sven Dowideit <[EMAIL PROTECTED]>
Sujet: Re: Security issue for Twiki's configure script execution possible by 
default
Date: Wed, 04 Jun 2008 09:11:06 +0200

Hi.

Please note that the provided has been tested on initial install only,
and I realized afterwards that it may fail in adding the "configuser" to
the .htpasswd in case of upgrade.

The postinst should be easily adapted to have a reconfigure case in
which this could be done, in addition to the configure case.

Hope this helps.

Btw, I'd welcome some sort of feedback ;-)

Best regards,

-------- Message transféré --------
De: Olivier Berger <[EMAIL PROTECTED]>
À: Sven Dowideit <[EMAIL PROTECTED]>
Cc: Florian Weimer <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Sven
Dowideit <[EMAIL PROTECTED]>, Sven Dowideit
<[EMAIL PROTECTED]>
Sujet: Re: Security issue for Twiki's configure script execution
possible by default
Date: Tue, 03 Jun 2008 14:20:06 +0200

Hello.

I've prepared a "NMU patch" which I believe would avoid the problem of
the configure script being wordl accessible as TWikiGuest/guest.

Can you review it, and maybe apply it to twiki 4.1.2 ?

It now prompts a user + password at debconf+configure time, and sets it
as required user in the "configure" part of the apache.conf, together
with allow only for 127.0.0.1.

Thus, the configuration of twiki can only be done by a user which is
logged-in on the server and knows the configuser's login+password. That
makes it much more secure.

The script changes may not be bulletproof, but that's only a quickfix,
allowing a NMU package, waiting for much better packaging for twiki 4.2.

Tell me of any remarks.

Best regards,

Le jeudi 29 mai 2008 à 11:28 +1000, Sven Dowideit a écrit :
> crumbs cheif, this week is going from 'too busy' to 'its a knockout'
> 
> Because TWiki 4.2.0 has an inbuilt admin user, I was planning on forcing 
> installers to set that password on install.. (and to remove the guest 
> user& password altogether)
> 
> but yeah, i've not found anywhere near enough time to get things done.
> 
> the TWikiGuest/guest thing has been there pretty much forever (before i 
> picked up the package i think), So I'm somewhat unqualified to decide if 
> it is urgent.
> 
> Sven
> 
>


-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

diff -u twiki-4.1.2/debian/templates twiki-4.1.2/debian/templates
--- twiki-4.1.2/debian/templates
+++ twiki-4.1.2/debian/templates
@@ -35,0 +36,17 @@
+
+Template: twiki/configuser
+Type: string
+Default: configuser
+_Description: Please enter the username allowed to access the configure script
+ This user will be the only one allowed to access the configure script at
+ ${site}/cgi-bin/configure
+
+
+Template: twiki/configpassword
+Type: password
+_Description: Please enter password for user ${configuser}
+ This is the password for the user '${configuser}' which will be the
+ only one allowed to access the configure script at
+ ${site}/cgi-bin/configure 
+ .  
+ This password should be non-trivial.
diff -u twiki-4.1.2/debian/config twiki-4.1.2/debian/config
--- twiki-4.1.2/debian/config
+++ twiki-4.1.2/debian/config
@@ -1,4 +1,5 @@
 #!/bin/sh 
+
 set -e
 
 # Source debconf library.
@@ -11,6 +12,22 @@
 db_input high twiki/wikiwebmaster || true
 # medium = Normal items that have reasonable defaults.
 db_input medium twiki/samplefiles || true
+
+# ask for config user (default: configuser)
+db_get "twiki/defaultUrlHost"
+site="$RET"
+db_subst "twiki/configuser" "site" "$site"
+# medium = may be initialized to default value
+db_input medium twiki/configuser || true
+
+db_get twiki/configuser
+configuser="$RET"
+db_subst "twiki/configpassword" "configuser" "$configuser"
+db_subst "twiki/configuser" "site" "$site"
+# high : password must be typed-in
+db_input high twiki/configpassword || true
+
+
 # add info due to 3-4 bug reports
 db_input high twiki/apacheUserCreationNote || true
 db_go || true
diff -u twiki-4.1.2/debian/changelog twiki-4.1.2/debian/changelog
--- twiki-4.1.2/debian/changelog
+++ twiki-4.1.2/debian/changelog
@@ -1,3 +1,12 @@
+twiki (1:4.1.2-3.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Protect configure script which used to be world accessible as a
+    trivial user : will now be accessible only from localhost as a
+    specific user, which is configured through Debconf.
+
+ -- Olivier Berger <[EMAIL PROTECTED]>  Tue, 03 Jun 2008 14:05:54 +0200
+
 twiki (1:4.1.2-3.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u twiki-4.1.2/debian/postinst twiki-4.1.2/debian/postinst
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -74,7 +74,13 @@
 	perl -pi~ -e 's/^(\s*\*\s*Set\s*SMTPMAILHOST\s*=\s*).*(\r\n)$/$1$2/;' /var/lib/twiki/data/TWiki/TWikiPreferences.txt
 fi
 
+# user + password authorized to run configure script
+db_get twiki/configuser
+configuser="$RET"
+perl -pi~ -e '$U=q{'"$RET"'}; s/^([^#]*Require user).*/$1 $U/g;' /etc/twiki/apache.conf
 
+db_get twiki/configpassword
+configpassword="$RET"
 
 # prevent further confusion: done with debconfig
 
@@ -82,8 +88,6 @@
 # Rewrite this in perl, if we ever find a non-kerberos example of how
 # to do so.
 
-db_stop
-
 case "$1" in
     configure)
 #	P=/usr/lib/cgi-bin/twiki
@@ -126,6 +130,7 @@
 			if [ ! -e /var/lib/twiki/data/.htpasswd ]; then
 			    touch /var/lib/twiki/data/.htpasswd
 		       	    $HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd TWikiGuest guest
+		       	    $HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd "$configuser" "$configpassword"
 			    chown $TWIKI_OWNER.www-data /var/lib/twiki/data/.htpasswd
 			    chmod 660 /var/lib/twiki/data/.htpasswd
 			fi
@@ -177,6 +182,12 @@
 	chown -R $TWIKI_OWNER.www-data /var/log/twiki
 	chmod -R 755 /var/log/twiki
 	chown $TWIKI_OWNER.www-data /etc/twiki/LocalSite.cfg
+
+	# erase configuser password
+        db_reset "twiki/configpassword"
+
+	db_stop
+
 	
 	# reload apache configs
 	for server in $servers; do
@@ -185,6 +196,7 @@
                 	/etc/init.d/$server reload
 		fi
 	done
+
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff -u twiki-4.1.2/debian/apache.conf twiki-4.1.2/debian/apache.conf
--- twiki-4.1.2/debian/apache.conf
+++ twiki-4.1.2/debian/apache.conf
@@ -127,8 +127,9 @@
 		Order Deny,Allow
 		Deny from all
 		Allow from 127.0.0.1
-		Require user TWikiGuest
-		Satisfy Any
+#		Require user TWikiGuest
+		Require user %CONFIGUSER%
+#		Satisfy Any
 	</FilesMatch>
 
 	<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">

signature.asc
Description: Ceci est une partie de message numériquement signée

Bug#485562: Proposed (not perfect) patch for NMU ?

Reply via email to