Edgewall Software
Modify

Opened 17 years ago

Closed 17 years ago

#4876 closed defect (wontfix)

htpasswd file: full pathname allowed

Reported by: m.verwijs@… Owned by: Christopher Lenz
Priority: normal Milestone:
Component: admin/web Version: 0.10.3
Severity: major Keywords: path write access security
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Tim Hatch)

All my trac instances are in one folder:

/folder/trac/instance1
/folder/trac/instance2

The apache-user has write access on both folders.

From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).

This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.

Am I missing something?

Regards,

— mverwijs

Attachments (0)

Change History (3)

comment:1 by m.verwijs@…, 17 years ago

Summary: htpasswd: full pathname allowedRhtpasswd file: full pathname allowed

comment:2 by Tim Hatch, 17 years ago

Description: modified (diff)

I don't know that you're missing anything, but shouldn't you generally trust people you give TRAC_ADMIN to? You can always use another way of running Trac, (say tracd behind mod_proxy) so each project will run as a different user.

comment:3 by Christian Boos, 17 years ago

Resolution: wontfix
Status: newclosed

Also, in the base WebAdmin functionality, there's no such thing like setting/writing to as password file, so you must be actually referring to some plugin…

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.