[request-tracker-maintainers] Bug#676322: request-tracker4: rt-crontool permissions not as recommended
Torben Nehmer
torben at nehmer.net
Wed Jun 6 07:04:46 UTC 2012
Package: request-tracker4
Version: 4.0.5-1~bpo60+1
Severity: normal
rt-crontool is not useable with users outside of user root (not recommended) and group www-data. The
documentation of RT-Crontool specifies:
---
This tool allows the user to run arbitrary perl modules from within RT. If this tool were setgid, a hostile
local user could use this tool to gain administrative access to RT. It is incredibly important that
nonprivileged users not be allowed to run this tool. It is suggested that you create a non-privileged unix user
with the correct group membership and RT access to run this tool (see User Configuration below).
[...]
rt-crontool should ideally be run by a special unprivileged operating system user who has also been entered in
RT as a privileged user with global [= ModifyTicket ] and [= ShowTicket ] rights. If you have created an
operating system user named rtcrontool, for instance, then create an RT user with Username and Unix login set to
rtcrontool, check Let this user be granted rights, and assign a password. Then under Configuration/Global/User
rights, add the two rights to the user you just created. This user should have read access to the RT files such
as RT_Config.pm and RT_SiteConfig.pm. If, for example, the rt group has read access to all the installed RT
files, you should assign your created user to that group (under UNIXen).
http://requesttracker.wikia.com/wiki/UseRtCrontool
---
It also seems, that runnint rt-crontool as root is inappropriate ("Somebody indicates that you can run the tool
as root (uid 0), but that didn't work properly for me when using rt-crontool to do priority escalation.").
In addition, simply using a unprivilged system account requires that account to be in the group www-data, which
is doable, but not necessarily nice as the RT_SiteConfig.pm file's permissions prevent access from other users:
-rw-r----- 1 root www-data 12405 29. Mär 17:09 RT_SiteConfig.pm
If I read the aforementioned Wiki page right, the default way would be having RT have its own system group
which owns the files in question. That again would need Apache to be in that system group, so I am not sure what
the ideal solution here is as both Apache and rt-crontool need access to the configuration files.
However, adding rt-crontool users to www-data definitly is a workaround to with.
-- Package-specific info:
Changed files:
There are locally modified files in /usr/local/share/request-tracker4/,
these may (or may not) be the source of the problem.
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages request-tracker4 depends on:
ii dbconfig-common 1.8.46+squeeze.0 common framework for packaging dat
ii debconf [debconf- 1.5.36.1 Debian configuration management sy
ii fonts-droid [ttf- 20101110+git-3~bpo60+1 handheld device font with extensiv
ii libapache-session 1.87-1 Perl modules for keeping persisten
ii libcache-simple-t 0.27-2 Perl module to cache and expire ke
ii libcgi-emulate-ps 0.10-1~bpo60+1 PSGI adapter for CGI
ii libcgi-pm-perl 3.49-1squeeze1 module for Common Gateway Interfac
ii libcgi-psgi-perl 0.13-1~bpo60+1 Adapt CGI.pm to the PSGI protocol
ii libclass-accessor 0.34-1 Perl module that automatically gen
ii libclass-returnva 0.55-1 A return-value object that lets yo
ii libconvert-color- 0.05-1 Perl module for color space conver
ii libcss-squish-per 0.09-1 module to compact many CSS files i
ii libdata-ical-perl 0.16+dfsg-1 Perl module for manipulating iCale
ii libdatetime-local 1:0.45-1 Perl extension providing localizat
ii libdatetime-perl 2:0.6100-2 module for manipulating dates, tim
ii libdbi-perl 1.612-1 Perl Database Interface (DBI)
ii libdbix-searchbui 1.59-2~bpo60+1 Perl implementation of a simple OR
ii libdevel-globalde 0.02-1 Expose PL_dirty, the flag which ma
ii libdevel-stacktra 1.2700-1~bpo60+1 Perl module containing stack trace
ii libemail-address- 1.889-2 RFC 2822 Address Parsing and Creat
ii libencode-perl 2.44-1~bpo60+1 module providing interfaces betwee
ii libfcgi-procmanag 0.18-2 Functions for managing FastCGI app
ii libfile-sharedir- 1.00-0.1 Locate per-dist and per-module sha
ii libgd-graph-perl 1.44-3 Graph Plotting Module for Perl 5
ii libgd-text-perl 0.86-5 Text utilities for use with GD
ii libgnupg-interfac 0.42-3 Perl interface to GnuPG
ii libgraphviz-perl 2.04-1 Perl interface to the GraphViz gra
ii libhtml-mason-per 1:1.44-1 HTML::Mason Perl module
ii libhtml-mason-psg 0.52-1~bpo60+1 PSGI handler for HTML::Mason
ii libhtml-quoted-pe 0.03-1~bpo60+1 extract structure of quoted HTML m
ii libhtml-rewriteat 0.04-1~bpo60+1 concise attribute rewriting
ii libhtml-scrubber- 0.08-4 Perl extension for scrubbing/sanit
ii libipc-run3-perl 0.042-2 run a subprocess with input/ouput
ii libjson-perl 2.21-1 Perl module to parse and convert t
ii liblist-moreutils 0.25~02-1 Perl module with additional list f
ii liblocale-maketex 0.10-1 Maketext from already interpolated
ii liblocale-maketex 0.82-1 lexicon-handling backends for Loca
ii liblog-dispatch-p 2.29-1~bpo60+1 message dispatcher to multiple Log
ii libmailtools-perl 2.06-1 Manipulate email in perl programs
ii libmime-tools-per 5.428-1 Perl5 modules for MIME-compliant m
ii libmime-types-per 1.30-1 Perl extension for determining MIM
ii libmodule-version 1.06-1 Report versions of all modules in
ii libnet-cidr-perl 0.13-1 Manipulate IPv4/IPv6 netblocks in
ii libperlio-eol-per 0.14-1+b1 PerlIO layer for normalizing line
ii libplack-perl 0.9980-1~bpo60+2 interface between web servers and
ii libregexp-common- 0.02-1~bpo60+1 provide patterns for CIDR blocks
ii libregexp-common- 2010010201-1 module with common regular express
ii libregexp-ipv6-pe 0.03-1~bpo60+1 Regular expression for IPv6 addres
ii libtext-autoforma 1.669002-1 module for automatic text wrapping
ii libtext-password- 0.28-1 Perl module to generate pronouncea
ii libtext-quoted-pe 2.06-1 Perl module to extract the structu
ii libtext-template- 1.45-1 Text::Template perl module
ii libtext-wikiforma 0.78-1 translates Wiki formatted text int
ii libtext-wrapper-p 1.02-1 Simple word wrapping routine
ii libtime-modules-p 2006.0814-2 Various Perl modules for time/date
ii libtimedate-perl 1.2000-1 collection of modules to manipulat
ii libtree-simple-pe 1.18-1 A simple tree object
ii libuniversal-requ 0.13-1 Load modules from a variable
ii libxml-rss-perl 1.48-1 Perl module for managing RSS (RDF
ii libxml-simple-per 2.18-3 Perl module for reading and writin
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
ii perl-modules [lib 5.10.1-17squeeze3 Core Perl modules
ii postfix [mail-tra 2.7.1-1+squeeze1 High-performance mail transport ag
ii rsyslog [system-l 4.6.4-2 enhanced multi-threaded syslogd
ii rt4-apache2 4.0.5-1~bpo60+1 Apache 2 specific files for reques
ii rt4-clients 4.0.5-1~bpo60+1 mail gateway and command-line inte
ii rt4-db-postgresql 4.0.5-1~bpo60+1 PostgreSQL database backend for re
ii ttf-droid 20101110+git-3~bpo60+1 transitional dummy package
ii ucf 3.0025+nmu1 Update Configuration File: preserv
Versions of packages request-tracker4 recommends:
ii cron [cron-daemon] 3.0pl1-116 process scheduling daemon
request-tracker4 suggests no packages.
-- Configuration Files:
/etc/request-tracker4/RT_SiteConfig.d/40-timezone [Errno 13] Keine Berechtigung: u'/etc/request-tracker4/RT_SiteConfig.d/40-timezone'
-- debconf information excluded
More information about the pkg-request-tracker-maintainers
mailing list