Package: ikiwiki Version: 2.70 Severity: wishlist I'm running a grsecurity-enhanced kernel and I have enabled the Trusted Path Execution restrictions [0].
What these restrictions do is prevent a user from executing files unless the file (and the directory in which it is) is owned by itself (or root) and is not group- or world-writable. Unfortunately, I ran into a file which doesn't fit in that description: $ ls -l /var/www/francoiswiki/ -rwsr-sr-x 1 francois francois 15K oct 7 18:19 ikiwiki.cgi* $ ls -ld /var/www/francoiswiki/ drwxr-xr-x 91 francois francois 4,0K nov 6 18:51 /var/www/francoiswiki/ I can't really see an easy way to work around this, so I am filing this wishlist bug in the hope that someone will have an idea on how to meet these conditions or will have a better solution. At the moment, I created a "tpeexempt" group and I put the apache user in it. This works but also means that none of the TPE restrictions apply to Apache :( Cheers, Francois [0] I enabled this feature using the following config variables: CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1001 Note that 1001 is the "tpeexempt" group I created for the "www-data" user. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.27.5-grsec (SMP w/2 CPU cores; PREEMPT) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ikiwiki depends on: ii libhtml-parser-perl 3.56-1+b1 A collection of modules that parse ii libhtml-scrubber-perl 0.08-4 Perl extension for scrubbing/sanit ii libhtml-template-perl 2.9-1 HTML::Template : A module for usin ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin ii markdown 1.0.1-7 Text-to-HTML conversion tool ii perl 5.10.0-17 Larry Wall's Practical Extraction Versions of packages ikiwiki recommends: ii bzr 1.5-1.1 easy to use distributed version co ii gcc [c-compiler] 4:4.3.2-2 The GNU C compiler ii gcc-4.1 [c-compiler] 4.1.2-23 The GNU C compiler ii gcc-4.3 [c-compiler] 4.3.2-1 The GNU C compiler ii git-core 1:1.5.6.5-1 fast, scalable, distributed revisi ii libauthen-passphrase-perl 0.005-3 Perl module encapsulating hashed p ii libc6-dev [libc-dev] 2.7-16 GNU C Library: Development Librari ii libcgi-formbuilder-perl 3.05.01-6 Easily generate and process statef ii libcgi-session-perl 4.38-1 persistent session data in CGI app ii liblwpx-paranoidagent-perl 1.03-1.1 a "paranoid" subclass of LWP::User ii libmail-sendmail-perl 0.79.16-1 Send email from a perl script ii libnet-openid-consumer-perl 0.14-4 library for consumers of OpenID id ii libtimedate-perl 1.1600-9 Time and date functions for Perl ii libxml-simple-perl 2.18-1 Perl module for reading and writin ii subversion 1.5.1dfsg1-1 Advanced version control system Versions of packages ikiwiki suggests: pn dvipng <none> (no description available) ii graphviz 2.20.2-3 rich set of graph drawing tools ii libcrypt-ssleay-perl 0.57-1+b1 Support for https protocol in LWP ii libdigest-sha1-perl 2.11-2+b1 NIST SHA-1 message digest algorith ii libfile-mimeinfo-perl 0.15-1 Perl module to determine file type ii liblocale-gettext-perl 1.05-4 Using libc functions for internati ii libmailtools-perl 2.04-1 Manipulate email in perl programs pn libnet-amazon-s3-perl <none> (no description available) pn librpc-xml-perl <none> (no description available) ii libsearch-xapian-perl 1.0.7.0-1 Perl bindings for the Xapian C++ s ii libtext-csv-perl 1.10-1 comma-separated values manipulator pn libtext-typography-perl <none> (no description available) ii libtext-wikiformat-perl 0.78-1 translates Wiki formatted text int pn libxml-feed-perl <none> (no description available) pn perlmagick <none> (no description available) pn polygen <none> (no description available) ii python 2.5.2-3 An interactive high-level object-o pn python-docutils <none> (no description available) pn sparkline-php <none> (no description available) ii texlive 2007.dfsg.1-4 TeX Live: A decent selection of th ii tidy 20080116cvs-2 HTML syntax checker and reformatte pn viewvc | gitweb | viewcvs <none> (no description available) ii xapian-omega 1.0.7-3 CGI search interface and indexers -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
