a some what odd configuration in cobbler.wsgi
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Cobbler |
New
|
Unknown
|
||
| | cobbler (Ubuntu) |
High
|
Unassigned | ||
Bug Description
I find it rather odd that in /usr/share/
the following is set -->
os.environ[
which probably isn't a good idea, however I am not exactly sure on the impact of it (at this point). It seems that the PYTHON_EGG_CACHE is the location where any eggs that cobbler might use would be unpacked. As cobblerd runs as root, if a local user (I haven't verified this, it just seems easier to fix this bug...) it might be possible for them to place their own python modules (which would be read as they are from the 'cache') and gain root privileges.
Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git201106
Related branches
- Chuck Short: Pending requested 2011-10-01
- Andres Rodriguez: Pending requested 2011-10-01
-
Diff: 164 lines (+56/-5)11 files modified.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+16/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+3/-3)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/series (+1/-0)
web/cobbler.wsgi (+1/-1)
| visibility: | private → public |
| Changed in cobbler (Ubuntu): | |
| importance: | Undecided → High |
| Changed in cobbler (Ubuntu): | |
| status: | New → Triaged |
| Clint Byrum (clint-fewbar) wrote : | #1 |
| Changed in cobbler: | |
| status: | Unknown → New |
| Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package cobbler - 2.2.2-0ubuntu1
---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low
[Chuck Short]
* New upstream release:
+ Use dh_python2 everywhere.
+ Folded debian/
and debian/
into one patch for easier upstreaming.
+ Dropped debian/
Fix upstream.
+ Dropped debian/
in favor of debian/
It adds "precise" and drops unsupported releases as well.
+ Dropped debian/
No longer needed.
+ Dropped debian/
to orchestra
[Clint Byrum]
* debian/
is not world readable. (LP: #858860)
* debian/control: cobbler needs to depend on python-cobbler
(LP: #863738)
* debian/
PYTHON_
* debian/
not required and contains a known password that would leave
cobblerd vulnerable if started before configuration is done
* debian/
be more secure (LP: #863755)
[Robie Basak]
* Backport safe YAML load from upstream. (LP: #858883)
-- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500
| Changed in cobbler (Ubuntu): | |
| status: | Triaged → Fix Released |
http://
"Note that you should refrain from ever using directories or files which have been made writable to anyone as this could compromise security. Also be aware that if hosting multiple applications under the same web server, they will all run as the same user and so it will be possible for each to both see and modify each others files. If this is an issue, you should host the applications on different web servers running as different users or on different systems. Alternatively, any data required or updated by the application should be hosted in a database with separate accounts for each application."
This file comes from upstream, so I forwarded the bug there as well.