Ticket #1336 (new defect)

Opened 12 months ago

server.username & server.groupname

Reported by: daniel.kauffman@… Owned by: jan
Priority: normal Milestone:
Component: core Version: 1.4.13
Severity: normal Keywords: server.groupname server.username security
Cc: Blocked By:
Need User Feedback: no Blocking:

Description

Currently, server.username sets only the user and server.groupname sets only the group.

This means that if lighttpd is started as root, both server.username and server.groupname must be specified in order for lighttpd to drop privileges.

It also means that there is no facility to set a group list.

I propose updating the server.username and server.groupname logic as follows:

if server.groupname is set {

setgroups( to specified group ) setgid( to specified group )

} elseif server.username is set {

setgroups( to group list for specified user ) setgid( to group for specified user )

} if server.username is set {

setuid( to specified user )

}

I am willing to write a patch if the logic is agreeable.

Attachments

RS5.jpg (26.6 kB) - added by i5tech 5 months ago.
administrator
1202976322_123.jpg (34.6 kB) - added by anonymous 5 months ago.

Change History

Changed 5 months ago by i5tech

administrator

Changed 5 months ago by anonymous

Add/Change #1336 (server.username & server.groupname)

Author



Change Properties
<Author field>
Action
as new
 
Note: See TracTickets for help on using tickets.