Description of problem: privoxy is only executable for the user privoxy. Version-Release number of selected component (if applicable): privoxy-3.0.16-6.fc17 How reproducible: always Steps to Reproduce: 1. privoxy --help Actual results: the shell complains, that /usr/sbin/privoxy is not executable Expected results: privoxy should show its help. Additional info: ls -la /usr/sbin/privoxy shows, that it is owned by privoxy:privoxy with permissions rwxr--r-- instead of rxwr-xr-x, but it is also unlear why it is owned by the user privoxy. This might be a bug as well.
ping
Missed this somehow, will look into it today.
I've got an update to 3.0.19 ready, and I've looked over the spec and the upstream docs, and all I can see is references to running it a) as a service and b) as a non-root user. Can you outline the use case for running it as an arbitrary unprivileged user from the shell? There may be one I've not thought of. Multiple instances, maybe, but that could be implemented with multiple customized systemd unit files.
(In reply to comment #3) > I've got an update to 3.0.19 ready, and I've looked over the spec and the > upstream docs, and all I can see is references to running it a) as a service > and b) as a non-root user. Can you outline the use case for running it as > an arbitrary unprivileged user from the shell? There may be one I've not > thought of. Multiple instances, maybe, but that could be implemented with > multiple customized systemd unit files. I sometimes start it by hand with a local config file to "convert" an SSH created socks proxy to an http proxy.
Sounds useful. I'll keep it owned by the privoxy user, but I'll go from 744 to 755.
privoxy-3.0.19-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/privoxy-3.0.19-1.fc18
privoxy-3.0.16-6.1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/privoxy-3.0.16-6.1.fc17
(In reply to comment #5) > Sounds useful. I'll keep it owned by the privoxy user, but I'll go from 744 > to 755. Thank you. But why do you want to keep in owned by privoxy instead of root? Afaics this only weakens security as this allows the privoxy service if it is compromised to modify a binary that might be in the path of other users and be used by them.
If the service is compromised, it will be contained to the privoxy user. If it runs as root, it gets the whole system.
(In reply to comment #9) > If the service is compromised, it will be contained to the privoxy user. If > it runs as root, it gets the whole system. The service can still run as privoxy without the binary being owned by the privoxy user. The user privoxy is run as seems to be configured in the init script.
Ah, I see what you mean, in part. It might be unnecessary, but I still don't see how that ownership is actively harmful.
(In reply to comment #11) > Ah, I see what you mean, in part. It might be unnecessary, but I still > don't see how that ownership is actively harmful. If the service is compromised when it is running as privoxy, /usr/sbin/privoxy (and /etc/privoxy/ as I just saw) can be modified, which for example allows to manifest the infection for the future. Also if a different user runs /usr/sbin/privoxy after malicious modification, the user's account is also compromised. Regarding /etc/privoxy being writeable by the privoxy user: When the service is compromised, this allows to persistently modify the configuration of privoxy. Here it would also be better to have the files owned by root and only readable by privoxy.
Gotcha, that makes perfect sense. I'll correct that.
Package privoxy-3.0.19-2.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing privoxy-3.0.19-2.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15150/privoxy-3.0.19-2.fc18 then log in and leave karma (feedback).
privoxy-3.0.16-6.2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.