DO NOT REPLY [Bug 8683] New: - Insecure file permissions - make install

From: <bugzilla(at)apache.org>
Date: Tue Apr 30 2002 - 18:38:10 EDT

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8683>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8683

Insecure file permissions - make install

           Summary: Insecure file permissions - make install
           Product: Apache httpd-1.3
           Version: 1.3.24
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Build
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jr-apachebugs@quo.to

When you run "make install" as root and it gets to this part:

Copying tree ./htdocs/manual -> /usr/local/apache/htdocs/manual/ Copying tree ./icons/ -> /usr/local/apache/icons/

the files it copies have a user and group id of 1078 -- the id's the files in the tar archive had. This isn't really secure because whichever user happens to have an id of 1078 can write to the files.

When installed as root, I think all installed files should have a user and group id of 0.

---

To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org Received on Tue Apr 30 22:38:11 2002