Opened 17 years ago
Last modified 17 years ago
#4876 closed defect
htpasswd file: full pathname allowed — at Version 2
| Reported by: | Owned by: | Christopher Lenz | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | admin/web | Version: | 0.10.3 |
| Severity: | major | Keywords: | path write access security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
All my trac instances are in one folder:
/folder/trac/instance1 /folder/trac/instance2
The apache-user has write access on both folders.
From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).
This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.
Am I missing something?
Regards,
— mverwijs
Change History (2)
comment:1 by , 17 years ago
| Summary: | htpasswd: full pathname allowedR → htpasswd file: full pathname allowed |
|---|
comment:2 by , 17 years ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.
I don't know that you're missing anything, but shouldn't you generally trust people you give TRAC_ADMIN to? You can always use another way of running Trac, (say tracd behind mod_proxy) so each project will run as a different user.