[Pkg-xmpp-devel] Bug#632631: jwchat: strange and insecure file permission

[Petter Reinholdtsen]

Control: tags -1 + patch

[Helmut Grohne 2011-07-04]
> The postinst of jwchat has some strange ideas about file permission.

I suggest changing the www-data:www-data ownership of the config file to
root:www-data with mode 644, to allow the web server to read the file
but not modify it.

I also suggest setting the file permissions in the www directory to
root:nobody, as everyone will be allowed to read the files.  I do not
understand the comment "chown everything to nobody:nogroup to make suphp
happy" in the postinst script, so this might be the wrong solution.  No
idea how to verify if suphp is happy or not. :)

Here is a patch implementing my proposed change:

diff -ur jwchat-1.0+dfsg/debian/postinst jwchat-1.0+dfsg-pere/debian/postinst
--- jwchat-1.0+dfsg/debian/postinst	2010-09-17 20:11:48.000000000 +0200
+++ jwchat-1.0+dfsg-pere/debian/postinst	2013-08-26 23:18:02.897102775 +0200
@@ -19,7 +19,7 @@
 {
 	find $wwwdir -type d -exec chmod 0755 {} \;
 	find $wwwdir -type f -exec chmod 0644 {} \;
-	find $wwwdir -type f -exec chown nobody:nogroup {} \;
+	find $wwwdir -type f -exec chown root:nogroup {} \;
 }
 
 setup_apache()
@@ -29,7 +29,8 @@
 	sed -e "s|__ApacheServerName__|$apache_server_name|g" $configsource > \
 		$tempfile
 	ucf --three-way --debconf-ok $tempfile $configfile
-	chown www-data:www-data $configfile
+	chmod 644 $configfile
+	chown root:www-data $configfile
 	if [ -x /usr/sbin/apache2 -a "$apache_server_name" != "none" ]; then
 		db_get jwchat/JabberAddress
 		jabber_address="$RET"

-- 
Happy hacking
Petter Reinholdtsen