Date: Thu, 14 Sep 2023 01:11:46 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 272777] [NEW PORT] www/dasherr: Lightweight dashboard for self-hosted services (and bookmarks) Message-ID: <bug-272777-7788-MJVmlZsdfN@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272777-7788@https.bugs.freebsd.org/bugzilla/> References: <bug-272777-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272777 --- Comment #4 from Robert Clausecker <fuz@FreeBSD.org> --- Thank you for informing me that other ports suffer from the same mistake. The problem is as follows: files owned by www are writable by the http daem= on (whichever it is). So if there is a bug in the web application, an attacker can very likely use it to modify the web application itself, persisting the attack and possibly establishing a remote shell. Thus, files that don't ne= ed to be writable by httpd must not be owned by www! Only give files to www t= hat httpd needs to write. Ports that do this wrong have a possible security is= sue and should be fixed. > Of course, I listen to any other recommendations, but I think www is fine. No, it is not fine. Please also fix your other ports if they make the same mistake. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272777-7788-MJVmlZsdfN>