After a long time of not touching Openacs-4, I just installed it and
have some comments on file permissions. Overall, the documentation is
good to read, I like it.
I added a comment on the AOLServer install
page, but I guess that more
people will see it when I also post it here (this version is longer):
Call me paranoid, but we should not encourage users to install the
aolserver binaries
writable/owned by the aolserver/nsadmin user. If at all possible,
install as
another user (root) and then make sure aolserver can read and write to the
files it needs to. For example, it does not even need read permissions on
the initial tcl file /home/aolserver/<service_name>.tcl,
as this could possibly expose your database password to the someone
who breaks into your server.
The problem is that to start the server listening on port 80, you need
to start it as root. Aolserver will then read the config and drop
priviliges ASAP. If aolserver can write to it's own binary, it can
also replace it. I.e. anyone who hacks aolserver /or/ one of the
OpenACS pages can have root priviliges next time you restart
aolserver. As soon as you someone exploits a page, they can also stop
the server process, triggering immediate restart in most cases. No
local root exploit needed. Not good. Especially because you only need
to move the nsd binary to someplace and then install a simple shell
script that does the nasty stuff (and moves back the nsd binary).
I can probably point out dozens of input validation problems in
vanilla 3.2.5, making this a real threat for that at least. I have as
yet no idea how many of those exist in 4.5 - but you need only one to
get root on a machine.
The general rule is: if root executes it, root MUST own and be
the only one who can write to it. The directory permissions are also
important as anyone with write permission can normally delete any file
in that directory, even those owned by other users.
