Phusion Passenger работает от имени пользователя root, и часть (и) корневого пути Passenger могут быть изменены пользователем без полномочий root - PullRequest
Новая
       19

Phusion Passenger работает от имени пользователя root, и часть (и) корневого пути Passenger могут быть изменены пользователем без полномочий root

0 голосов
/ 05 июля 2018 
[Thu Jul 05 07:58:30.268108 2018] [core:warn] [pid 7157] AH00117: Ignoring deprecated use of DefaultType in line 111 of /usr/local/apache/conf/httpd.conf.
[Thu Jul 05 07:58:30.268302 2018] [alias:warn] [pid 7157] AH00671: The Alias directive in /usr/local/apache/conf/httpd.conf at line 318 will probably never match because it overlaps an earlier Alias.
[Thu Jul 05 07:58:30.270866 2018] [:notice] [pid 7157] HiveEXEC mechanism enabled (wrapper: /usr/local/1h/sbin/hive_exec)
[Thu Jul 05 07:58:30.276835 2018] [:notice] [pid 28647] FastCGI: process manager initialized (pid 28647)
[ N 2018-07-05 07:58:30.2928 28649/T1 age/Wat/WatchdogMain.cpp:1297 ]: Starting Passenger watchdog...
[ N 2018-07-05 07:58:30.3078 28652/T1 age/Cor/CoreMain.cpp:1202 ]: Starting Passenger core...
[ N 2018-07-05 07:58:30.3079 28652/T1 age/Cor/CoreMain.cpp:252 ]: Passenger core running in multi-application mode.
[ W 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:929 ]: **WARNING: potential privilege escalation vulnerability detected. Phusion Passenger is running as root, and part(s) of the Passenger root path (/usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems/passenger-5.3.2) can be changed by non-root user(s):**

 - /usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems is not secure: it can be modified by group rvm
 - /usr/local/rvm/gems is not secure: it can be modified by group rvm

Пожалуйста, исправьте разрешения для небезопасных путей или установите Passenger в другом месте, которое может быть изменено только пользователем root. 

[ N 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:937 ]: Passenger core online, PID 28652
[Thu Jul 05 07:58:30.327114 2018] [mpm_prefork:notice] [pid 7157] AH00163: Apache/2.4.29 (Unix) mod_hive/6.6 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 Phusion_Passenger/5.3.2 configured -- resuming normal operations
[Thu Jul 05 07:58:30.327141 2018] [core:notice] [pid 7157] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
[ N 2018-07-05 07:58:30.5457 27311/T1 age/Cor/CoreMain.cpp:1187 ]: **Passenger core shutdown finished**
...