Hello. I assume that my RTFM argument made its point, and the realty of the issue is acknowledged, so I'm trying get back to the proposal for a solution.
As the maintainer seems reactive, there may no longer be a need for a
NMU (which I proposed when I received no reaction to my initial private
report, and may have kept talking about later whereas the maintainer had
responded, sorry).
Le mardi 10 juin 2008 à 18:53 +1000, Sven Dowideit a écrit :
> That said, I was (and am) expecting that as Olivier has such a strong
> interest, that he will be fixing the issues he found in his own patch,
> so that the package can become better.
I have reviewed my previous proposed patch, and am proposing a new
version of changes for the package's scripts.
However, it introduces some novelties, with the use of a new apache
("configuser") user and password which would be added to the .htpasswd
which controls access to the configure script, but which may also
constitute a new legitimate TWiki user. Along with such novelties come
some concerns too (see bellow).
Now, it may not be the best way to address the security issue at stake
here.
So, simply removing access to the configure script from the default
setup of the Debian package may be better security-wise, of course, and
also much more simple packaging-wise.
But of course, leaving an option in the packaging for a configuration of
a reasonably well managed access to the 'configure' script would be a
plus for user-friendliness of the packaging for TWiki administrators.
The latter option is the subject of the patch attached to this mail.
Some concerns I still have with the proposed patch are listed here, but
it's now more robust than the previous one I had proposed, as it handles
the upgrade case better :
* password for the "configuser" is prompted once only (without a
confirmation step, and a check of concordance of the two, and looping
should they differ, etc), as I have no experience in doing complex
config scripts, and I think it's better to try and minimize the changes
in such a bug fix, leaving complex changes for new major versions (and
done by the official maintainer ;-)
* The handling of passwords (other than TWikiGuest's) in .htpasswd by
debconf/dpkg-reconfigure should be documented so that an admin may not
think that manual customization would be kept across updates or
dpkg-reconfigure
* No check is done for the "configuser"'s logname provided at config
time, to see if it conflicts with another already existing TWiki user
(already in the .htpasswd)
* No test was done to see if a user may later register in the TWiki
reusing the configuser's login, and acquiring its privileges
As you can see, I tried my best to give an exhaustive view of options,
without investing in a heavy rewrite of the packaging, and I hope you'll
be able to provide a proper fix, choosing between the options I
suggested, or otherwise.
> In fact, I'm hoping he'll help
> finish the 4.2.x TWiki package that i started work on last time i had
> the time to look.
>
I may do so, but this would require some sort of procedures for
collaboration, which should probably be discussed beyond this very
ticket.
Best regards,
--
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
diff -u twiki-4.1.2/debian/templates twiki-4.1.2/debian/templates
--- twiki-4.1.2/debian/templates
+++ twiki-4.1.2/debian/templates
@@ -35,0 +36,17 @@
+
+Template: twiki/configuser
+Type: string
+Default: configuser
+_Description: Please enter the username allowed to access the configure script
+ This user will be the only one allowed to access the configure script at
+ ${site}/cgi-bin/configure
+
+
+Template: twiki/configpassword
+Type: password
+_Description: Please enter password for user ${configuser}
+ This is the password for the user '${configuser}' which will be the
+ only one allowed to access the configure script at
+ ${site}/cgi-bin/configure
+ .
+ This password should be non-trivial.
diff -u twiki-4.1.2/debian/config twiki-4.1.2/debian/config
--- twiki-4.1.2/debian/config
+++ twiki-4.1.2/debian/config
@@ -1,4 +1,5 @@
#!/bin/sh
+
set -e
# Source debconf library.
@@ -11,6 +12,22 @@
db_input high twiki/wikiwebmaster || true
# medium = Normal items that have reasonable defaults.
db_input medium twiki/samplefiles || true
+
+# ask for config user (default: configuser)
+db_get "twiki/defaultUrlHost"
+site="$RET"
+db_subst "twiki/configuser" "site" "$site"
+# medium = may be initialized to default value
+db_input medium twiki/configuser || true
+
+db_get twiki/configuser
+configuser="$RET"
+db_subst "twiki/configpassword" "configuser" "$configuser"
+db_subst "twiki/configuser" "site" "$site"
+# high : password must be typed-in
+db_input high twiki/configpassword || true
+
+
# add info due to 3-4 bug reports
db_input high twiki/apacheUserCreationNote || true
db_go || true
diff -u twiki-4.1.2/debian/changelog twiki-4.1.2/debian/changelog
--- twiki-4.1.2/debian/changelog
+++ twiki-4.1.2/debian/changelog
@@ -1,3 +1,12 @@
+twiki (1:4.1.2-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Protect configure script which used to be world accessible as a
+ trivial user : will now be accessible only from localhost as a
+ specific user, which is configured through Debconf.
+
+ -- Olivier Berger <[EMAIL PROTECTED]> Tue, 11 Jun 2008 14:57:54 +0200
+
twiki (1:4.1.2-3.1) unstable; urgency=low
* Non-maintainer upload.
diff -u twiki-4.1.2/debian/postinst twiki-4.1.2/debian/postinst
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -74,7 +74,13 @@
perl -pi~ -e 's/^(\s*\*\s*Set\s*SMTPMAILHOST\s*=\s*).*(\r\n)$/$1$2/;' /var/lib/twiki/data/TWiki/TWikiPreferences.txt
fi
+# user + password authorized to run configure script
+db_get twiki/configuser
+configuser="$RET"
+perl -pi~ -e '$U=q{'"$RET"'}; s/^([^#]*Require user).*/$1 $U/g;' /etc/twiki/apache.conf
+db_get twiki/configpassword
+configpassword="$RET"
# prevent further confusion: done with debconfig
@@ -82,8 +88,6 @@
# Rewrite this in perl, if we ever find a non-kerberos example of how
# to do so.
-db_stop
-
case "$1" in
configure)
# P=/usr/lib/cgi-bin/twiki
@@ -126,9 +130,17 @@
if [ ! -e /var/lib/twiki/data/.htpasswd ]; then
touch /var/lib/twiki/data/.htpasswd
$HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd TWikiGuest guest
- chown $TWIKI_OWNER.www-data /var/lib/twiki/data/.htpasswd
- chmod 660 /var/lib/twiki/data/.htpasswd
fi
+
+ # applies the configuser's password prompted
+ # during config (on every upgrade) into the
+ # file, again, erasing any admin's manual
+ # htpasswd execution (including fix for
+ # #485562)
+ $HTPASSWDCMD -b /var/lib/twiki/data/.htpasswd "$configuser" "$configpassword"
+ chown $TWIKI_OWNER.www-data /var/lib/twiki/data/.htpasswd
+ chmod 660 /var/lib/twiki/data/.htpasswd
+
fi
fi
@@ -177,6 +189,12 @@
chown -R $TWIKI_OWNER.www-data /var/log/twiki
chmod -R 755 /var/log/twiki
chown $TWIKI_OWNER.www-data /etc/twiki/LocalSite.cfg
+
+ # erase configuser password
+ db_reset "twiki/configpassword"
+
+ db_stop
+
# reload apache configs
for server in $servers; do
@@ -185,6 +203,7 @@
/etc/init.d/$server reload
fi
done
+
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff -u twiki-4.1.2/debian/apache.conf twiki-4.1.2/debian/apache.conf
--- twiki-4.1.2/debian/apache.conf
+++ twiki-4.1.2/debian/apache.conf
@@ -127,8 +127,9 @@
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
- Require user TWikiGuest
- Satisfy Any
+# Require user TWikiGuest
+ Require user %CONFIGUSER%
+# Satisfy Any
</FilesMatch>
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
only in patch2:
unchanged:
signature.asc
Description: Ceci est une partie de message numériquement signée
