Description of problem: While going a review of thttpd RPM, I've noticed couple of problem in the package. Review was done on the F10 packages, but all concerns should apply to Rawhide as well. Here are fairly detailed notes. - Broken syslogtocern $ /usr/sbin/syslogtocern /var/log/thttpd.log /usr/sbin/syslogtocern: line 56: unexpected EOF while looking for matching ``' /usr/sbin/syslogtocern: line 68: syntax error: unexpected end of file Bug was introduced in CVE-2005-3124 patch -- tmp1=``mktemp -t stc1.XXXXXX` Fix: drop one of the extraneous backticks in front of the mktemp, but it looks like no-one tried to use the script in 3 years ;). Additionally, re-diff introduced syslogtocern.orig into diff: http://cvs.fedoraproject.org/viewvc/rpms/thttpd/devel/thttpd-2.25b-CVE-2005-3124.patch?r1=1.1&r2=1.2#l20 (thttpd-2.25b-fixes.patch seems to have some extraneous .orig files too) - Extraneous man pages shipped - ssi.8 and redirect.8 Those cgis are built as static (apparently because of the default chrooting), but removed later in the build process, extract from build.log: gcc -static redirect.o -lcrypt -o redirect gcc -static phf.o -lcrypt -o phf gcc -static ssi.o ../match.o -lcrypt -o ssi - Odd directory structure: thttpd/{cgi-bin,html,logs} Why do package create logs subdirectory, when default logging goes to /var/log/thttpd.log? Why there's cgi-bin directory out of the html directory? Looking into the thttpd man page, there does not seem to be a way to use cgi-bin directory located out of the document root. Additionally, thttpd is configured to run chrooted to html/ directory by default, so cgi-bin subdirectory of the parent directory is out of reach anyway. .spec file explicitly uses CGIBINDIR=%{webroot}/cgi-bin, but CGIBINDIR does not seem to be used anywhere in the code, only in Makefile install targets. - Permissions Default permission on directories and files in /var/www/thttpd is thttpd:www, with setgit bit set (even on files!). Why do we default to such permissions? This way, compromise of thttpd daemon, or any of the CGI scripts can result in overwrite of any file in the document root. This does not sound like a safe default. Is there any reason good reason why "standard" permissions used in such case are not used? (E.g. apache has all files in /var/www owned by root:root by default). PERMISSIONS section of thttpd man page does not seem to suggest this setup used by Fedora by default. One exception is html/ directory, that needs to have group www and be group-writable for makeweb to work. Even in this case, it may be better to have html/ root:root 755 by default and note in the readme, that administrators wanting makeweb to work for unprivileged users should chgrp / chmod the html/ directory manually. Actually, it may be good to have a define in the .spec that could be toggled to create RPM with makeweb not installed setgid www (similar to other _with_* defines). Default directory structure and permissions should possibly look like: # ls -ld thttpd drwxr-xr-x 3 root root 4096 Feb 5 11:09 thttpd # ls -lR thttpd thttpd: total 8 drwxrwxr-x 3 root www 4096 Feb 5 11:26 html thttpd/html: total 28 drwxr-xr-x 2 root root 4096 Feb 5 11:26 cgi-bin -rw-r--r-- 1 root root 729 Oct 22 2007 index.html lrwxrwxrwx 1 root root 32 Feb 5 10:43 poweredby.png -> /usr/share/pixmaps/poweredby.png -rw-r--r-- 1 root root 1796 Nov 9 2004 thttpd_powered_3.png If the default for html is root:root 755 and README is added to explain how to make makeweb work, cgi-bin directory can possibly be omitted by default as well and only mentioned in the README. - Directory indexes .spec file disables directory indexes by default: %{!?_with_indexes: %{__perl} -pi -e 's/#define GENERATE_INDEXES/#undef %GENERATE_INDEXES/g' config.h} Wouldn't it be better to keep GENERATE_INDEXES enabled by default. With that defined, it's possible to disable directory listing via proper directory permissions (as documented in thttpd.8). However, there does not seem to be a way to enable listings without rebuild.
Oh, looks like broken syslogtocern was already report few days ago - bug #483733. Sorry for dupe.
Impressive list of details! So I guess you've noticed thttpd doesn't seem much used nowadays. I used it extensively some years ago, which is why I packaged it, but have been using lighttpd instead for quite a long time. I'll have a look at fixing all this, but probably not right away.
I think I've taken care of all of these now. Check the -20 package in devel. The one thing left is that the log rotation still does a full restart of the server. This is also linked to the useless "logs" directory : Since the log file is outside of the chroot, thttpd can't reopen it when it receives a HUP signal. This is where the logs directory inside the chroot would have been useful, but I'm afraid we'll run into selinux trouble if that is used now. I'm thinking of leaving things as they are now. People who want to have HUP working for the log rotation should either disable the chroot or configure the log files to be inside the chroot. Another minor issue is that the document root has now changed. This might break existing configurations, though I really doubt anyone will be affected given the small number of thttpd users out there. Let me know if you see anything still wrong.
I've updated the init script to the new style too. Closing the report now, please reopen if you think any of the issues haven't been taken care of properly.
Sorry for not getting to check this earlier... The changes look good, I believe all issue I've raised were addressed. Few minor nitpicks: - I see you have added --with makeweb option, defaulting to no makeweb build / shipped with the package. When --with makeweb is used for rpmbuild, makeweb is added to rpm as sgid www, but /var/www/thttpd is not www group writeable (which may be a reasonable default in such case). This is bit hacky, but seems to work. There may be a cleaner way to do this: --- rpm/SPECS/thttpd.spec.orig 2009-04-29 17:38:51.000000000 +0200 +++ rpm/SPECS/thttpd.spec 2009-04-29 17:48:15.000000000 +0200 @@ -151,13 +151,15 @@ %if 0%{?_with_makeweb:1} %attr(2755,root,www) %{_sbindir}/makeweb %{_mandir}/man1/makeweb.1* +%attr(0775,root,www) %{webroot} %else %exclude %{_sbindir}/makeweb %exclude %{_mandir}/man1/makeweb.1* +%{webroot} %endif +%attr(0644,root,root) %{webroot}/* %{_sbindir}/syslogtocern %{_sbindir}/thttpd -%{webroot}/ %{_mandir}/man1/thtpasswd.1* %{_mandir}/man8/syslogtocern.8* %{_mandir}/man8/thttpd.8* - As thttpd runs chrooted by default, default index.html generates lots of 500s because of poweredby.png being symlink to file out of the chroot. This is only a default page, not a big issue, and workarounds I can quickly think of are rather hacky.