a some what odd configuration in cobbler.wsgi
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cobbler |
New
|
Unknown
|
|||
cobbler (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
I find it rather odd that in /usr/share/
the following is set -->
os.environ[
which probably isn't a good idea, however I am not exactly sure on the impact of it (at this point). It seems that the PYTHON_EGG_CACHE is the location where any eggs that cobbler might use would be unpacked. As cobblerd runs as root, if a local user (I haven't verified this, it just seems easier to fix this bug...) it might be possible for them to place their own python modules (which would be read as they are from the 'cache') and gain root privileges.
Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git201106
Related branches
- Chuck Short: Pending requested
- Andres Rodriguez: Pending requested
-
Diff: 164 lines (+56/-5)11 files modified.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+16/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+3/-3)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/series (+1/-0)
web/cobbler.wsgi (+1/-1)
visibility: | private → public |
Changed in cobbler (Ubuntu): | |
importance: | Undecided → High |
Changed in cobbler (Ubuntu): | |
status: | New → Triaged |
Changed in cobbler: | |
status: | Unknown → New |
http:// code.google. com/p/modwsgi/ wiki/Applicatio nIssues
"Note that you should refrain from ever using directories or files which have been made writable to anyone as this could compromise security. Also be aware that if hosting multiple applications under the same web server, they will all run as the same user and so it will be possible for each to both see and modify each others files. If this is an issue, you should host the applications on different web servers running as different users or on different systems. Alternatively, any data required or updated by the application should be hosted in a database with separate accounts for each application."
This file comes from upstream, so I forwarded the bug there as well.