[DRE-maint] Bug#736830: ruby-passenger: wrong permissions on /tmp/passengerXXX

[Benoît SÉRIE]

Package: ruby-passenger
Version: 3.0.13debian-1+deb7u1
Severity: important

Dear Maintainer,

We use Redmine (from Debian package) and the last passenger update
(3.0.13debian-1+deb7u1) has broken the permissions in /tmp/passengerXXX
(e.g /tmp/passenger.1.0.25998).

Apache runs as www-data but this directory is owned by root only.

# ls -lhad /tmp/passenger.1.0.25998/
drwxr-x--- 3 root root 1.0K Jan 27 10:53 /tmp/passenger.1.0.25998/

Error message given by Apache:

[ pid=26810 thr=140719191291712 file=ext/apache2/Hooks.cpp:862 time=2014-01-27 10:57:06.221 ]:
Unexpected error in mod_passenger: Cannot connect to Unix socket
'/tmp/passenger.1.0.25998/generation-0/socket': Permission denied (13)
Backtrace:
[Truncated...]

As a temporary fix, changing owner of /tmp/passengerXXX solves the issue.

Seeing "Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage.
(Closes: #710351, #717176)" makes me think that this is due to this fix.

Best Regards,
-- 
Benoit SÉRIE <bserie at evolix.fr> – GnuPG: 4096R/56C27D99
Evolix – Hébergement et Infogérance Open Source http://www.evolix.fr/