[Bug 272777] [NEW PORT] www/dasherr: Lightweight dashboard for self-hosted services (and bookmarks)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 272777] [NEW PORT] www/dasherr: Lightweight dashboard for self-hosted services (and bookmarks)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 14 Sep 2023 01:11:46 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272777

--- Comment #4 from Robert Clausecker <fuz@FreeBSD.org> ---
Thank you for informing me that other ports suffer from the same mistake.

The problem is as follows: files owned by www are writable by the http daemon
(whichever it is).  So if there is a bug in the web application, an attacker
can very likely use it to modify the web application itself, persisting the
attack and possibly establishing a remote shell.  Thus, files that don't need
to be writable by httpd must not be owned by www!  Only give files to www that
httpd needs to write.  Ports that do this wrong have a possible security issue
and should be fixed.

> Of course, I listen to any other recommendations, but I think www is fine.

No, it is not fine.  Please also fix your other ports if they make the same
mistake.

-- 
You are receiving this mail because:
You are the assignee for the bug.