484205 – thttpd: multiple packaging problems

Bug 484205 - thttpd: multiple packaging problems

Summary: thttpd: multiple packaging problems

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	thttpd
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Matthias Saou
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-05 12:50 UTC by Tomas Hoger
Modified:	2009-04-29 16:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-12 15:35:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomas Hoger 2009-02-05 12:50:39 UTC

Description of problem:
While going a review of thttpd RPM, I've noticed couple of problem in the package.  Review was done on the F10 packages, but all concerns should apply to Rawhide as well.  Here are fairly detailed notes.

- Broken syslogtocern

$ /usr/sbin/syslogtocern /var/log/thttpd.log 
/usr/sbin/syslogtocern: line 56: unexpected EOF while looking for matching ``'
/usr/sbin/syslogtocern: line 68: syntax error: unexpected end of file

Bug was introduced in CVE-2005-3124 patch -- tmp1=``mktemp -t stc1.XXXXXX`

Fix: drop one of the extraneous backticks in front of the mktemp, but it looks
like no-one tried to use the script in 3 years ;).

Additionally, re-diff introduced syslogtocern.orig into diff:
http://cvs.fedoraproject.org/viewvc/rpms/thttpd/devel/thttpd-2.25b-CVE-2005-3124.patch?r1=1.1&r2=1.2#l20

(thttpd-2.25b-fixes.patch seems to have some extraneous .orig files too)


- Extraneous man pages shipped - ssi.8 and redirect.8

Those cgis are built as static (apparently because of the default chrooting),
but removed later in the build process, extract from build.log:

gcc -static  redirect.o -lcrypt  -o redirect
gcc -static  phf.o -lcrypt  -o phf
gcc -static  ssi.o ../match.o -lcrypt  -o ssi


- Odd directory structure:

thttpd/{cgi-bin,html,logs}

Why do package create logs subdirectory, when default logging goes to
/var/log/thttpd.log?

Why there's cgi-bin directory out of the html directory?  Looking into the
thttpd man page, there does not seem to be a way to use cgi-bin directory
located out of the document root.

Additionally, thttpd is configured to run chrooted to html/ directory by
default, so cgi-bin subdirectory of the parent directory is out of reach
anyway.

.spec file explicitly uses CGIBINDIR=%{webroot}/cgi-bin, but CGIBINDIR does not
seem to be used anywhere in the code, only in Makefile install targets.


- Permissions

Default permission on directories and files in /var/www/thttpd is thttpd:www,
with setgit bit set (even on files!).  Why do we default to such permissions?
This way, compromise of thttpd daemon, or any of the CGI scripts can result in
overwrite of any file in the document root.  This does not sound like a safe
default.  Is there any reason good reason why "standard" permissions used in
such case are not used?  (E.g.  apache has all files in /var/www owned by
root:root by default).

PERMISSIONS section of thttpd man page does not seem to suggest this setup
used by Fedora by default.

One exception is html/ directory, that needs to have group www and be
group-writable for makeweb to work.  Even in this case, it may be better to
have html/ root:root 755 by default and note in the readme, that administrators
wanting makeweb to work for unprivileged users should chgrp / chmod the html/
directory manually.  Actually, it may be good to have a define in the .spec
that could be toggled to create RPM with makeweb not installed setgid www
(similar to other _with_* defines).

Default directory structure and permissions should possibly look like:

# ls -ld thttpd
drwxr-xr-x 3 root root 4096 Feb  5 11:09 thttpd

# ls -lR thttpd
thttpd:
total 8
drwxrwxr-x 3 root www 4096 Feb  5 11:26 html

thttpd/html:
total 28
drwxr-xr-x 2 root root 4096 Feb  5 11:26 cgi-bin
-rw-r--r-- 1 root root  729 Oct 22  2007 index.html
lrwxrwxrwx 1 root root   32 Feb  5 10:43 poweredby.png -> /usr/share/pixmaps/poweredby.png
-rw-r--r-- 1 root root 1796 Nov  9  2004 thttpd_powered_3.png

If the default for html is root:root 755 and README is added to explain how to
make makeweb work, cgi-bin directory can possibly be omitted by default as well
and only mentioned in the README.


- Directory indexes

.spec file disables directory indexes by default:
  %{!?_with_indexes: %{__perl} -pi -e 's/#define GENERATE_INDEXES/#undef %GENERATE_INDEXES/g' config.h}

Wouldn't it be better to keep GENERATE_INDEXES enabled by default.  With that
defined, it's possible to disable directory listing via proper directory
permissions (as documented in thttpd.8).  However, there does not seem to be a
way to enable listings without rebuild.

Comment 1 Tomas Hoger 2009-02-05 12:58:22 UTC

Oh, looks like broken syslogtocern was already report few days ago - bug #483733.  Sorry for dupe.

Comment 2 Matthias Saou 2009-02-05 16:21:14 UTC

Impressive list of details!

So I guess you've noticed thttpd doesn't seem much used nowadays. I used it extensively some years ago, which is why I packaged it, but have been using lighttpd instead for quite a long time.

I'll have a look at fixing all this, but probably not right away.

Comment 3 Matthias Saou 2009-04-10 13:03:27 UTC

I think I've taken care of all of these now. Check the -20 package in devel. The one thing left is that the log rotation still does a full restart of the server. This is also linked to the useless "logs" directory : Since the log file is outside of the chroot, thttpd can't reopen it when it receives a HUP signal. This is where the logs directory inside the chroot would have been useful, but I'm afraid we'll run into selinux trouble if that is used now.

I'm thinking of leaving things as they are now. People who want to have HUP working for the log rotation should either disable the chroot or configure the log files to be inside the chroot.

Another minor issue is that the document root has now changed. This might break existing configurations, though I really doubt anyone will be affected given the small number of thttpd users out there.

Let me know if you see anything still wrong.

Comment 4 Matthias Saou 2009-04-12 15:35:08 UTC

I've updated the init script to the new style too. Closing the report now, please reopen if you think any of the issues haven't been taken care of properly.

Comment 5 Tomas Hoger 2009-04-29 16:09:34 UTC

Sorry for not getting to check this earlier...

The changes look good, I believe all issue I've raised were addressed.  Few minor nitpicks:

- I see you have added --with makeweb option, defaulting to no makeweb build / shipped with the package.  When --with makeweb is used for rpmbuild, makeweb is added to rpm as sgid www, but /var/www/thttpd is not www group writeable (which may be a reasonable default in such case).

This is bit hacky, but seems to work.  There may be a cleaner way to do this:

--- rpm/SPECS/thttpd.spec.orig	2009-04-29 17:38:51.000000000 +0200
+++ rpm/SPECS/thttpd.spec	2009-04-29 17:48:15.000000000 +0200
@@ -151,13 +151,15 @@
 %if 0%{?_with_makeweb:1}
 %attr(2755,root,www) %{_sbindir}/makeweb
 %{_mandir}/man1/makeweb.1*
+%attr(0775,root,www) %{webroot}
 %else
 %exclude %{_sbindir}/makeweb
 %exclude %{_mandir}/man1/makeweb.1*
+%{webroot}
 %endif
+%attr(0644,root,root) %{webroot}/*
 %{_sbindir}/syslogtocern
 %{_sbindir}/thttpd
-%{webroot}/
 %{_mandir}/man1/thtpasswd.1*
 %{_mandir}/man8/syslogtocern.8*
 %{_mandir}/man8/thttpd.8*

- As thttpd runs chrooted by default, default index.html generates lots of 500s because of poweredby.png being symlink to file out of the chroot.  This is only a default page, not a big issue, and workarounds I can quickly think of are rather hacky.

Note You need to log in before you can comment on or make changes to this bug.