Modify ↓
Ticket #4876 (closed defect: wontfix)
Opened 5 years ago
Last modified 5 years ago
htpasswd file: full pathname allowed
| Reported by: | m.verwijs@… | Owned by: | cmlenz |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | admin/web | Version: | 0.10.3 |
| Severity: | major | Keywords: | path write access security |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description (last modified by thatch) (diff)
All my trac instances are in one folder:
/folder/trac/instance1 /folder/trac/instance2
The apache-user has write access on both folders.
From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).
This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.
Am I missing something?
Regards,
--
mverwijs
Attachments
Change History
comment:1 Changed 5 years ago by m.verwijs@…
- Summary changed from htpasswd: full pathname allowedR to htpasswd file: full pathname allowed
comment:2 Changed 5 years ago by thatch
- Description modified (diff)
comment:3 Changed 5 years ago by cboos
- Resolution set to wontfix
- Status changed from new to closed
Also, in the base WebAdmin functionality, there's no such thing like setting/writing to as password file, so you must be actually referring to some plugin...
Note: See
TracTickets for help on using
tickets.
I don't know that you're missing anything, but shouldn't you generally trust people you give TRAC_ADMIN to? You can always use another way of running Trac, (say tracd behind mod_proxy) so each project will run as a different user.