Modify ↓
Opened 18 years ago
Closed 18 years ago
#4876 closed defect (wontfix)
htpasswd file: full pathname allowed
| Reported by: | Owned by: | Christopher Lenz | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | admin/web | Version: | 0.10.3 |
| Severity: | major | Keywords: | path write access security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
All my trac instances are in one folder:
/folder/trac/instance1 /folder/trac/instance2
The apache-user has write access on both folders.
From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).
This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.
Am I missing something?
Regards,
— mverwijs
Attachments (0)
Change History (3)
comment:1 by , 18 years ago
| Summary: | htpasswd: full pathname allowedR → htpasswd file: full pathname allowed |
|---|
comment:2 by , 18 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 18 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Also, in the base WebAdmin functionality, there's no such thing like setting/writing to as password file, so you must be actually referring to some plugin…
Note:
See TracTickets
for help on using tickets.
I don't know that you're missing anything, but shouldn't you generally trust people you give TRAC_ADMIN to? You can always use another way of running Trac, (say tracd behind mod_proxy) so each project will run as a different user.