Phusion 乘客以 root 身份运行,非 root 用户可以更改乘客根路径 () 的一部分
[英]Phusion Passenger is running as root, and part(s) of the Passenger root path () can be changed by non-root user(s)
问题描述
[Thu Jul 05 07:58:30.268108 2018] [core:warn] [pid 7157] AH00117: Ignoring deprecated use of DefaultType in line 111 of /usr/local/apache/conf/httpd.conf.
[Thu Jul 05 07:58:30.268302 2018] [alias:warn] [pid 7157] AH00671: The Alias directive in /usr/local/apache/conf/httpd.conf at line 318 will probably never match because it overlaps an earlier Alias.
[Thu Jul 05 07:58:30.270866 2018] [:notice] [pid 7157] HiveEXEC mechanism enabled (wrapper: /usr/local/1h/sbin/hive_exec)
[Thu Jul 05 07:58:30.276835 2018] [:notice] [pid 28647] FastCGI: process manager initialized (pid 28647)
[ N 2018-07-05 07:58:30.2928 28649/T1 age/Wat/WatchdogMain.cpp:1297 ]: Starting Passenger watchdog...
[ N 2018-07-05 07:58:30.3078 28652/T1 age/Cor/CoreMain.cpp:1202 ]: Starting Passenger core...
[ N 2018-07-05 07:58:30.3079 28652/T1 age/Cor/CoreMain.cpp:252 ]: Passenger core running in multi-application mode.
[ W 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:929 ]: **WARNING: potential privilege escalation vulnerability detected. Phusion Passenger is running as root, and part(s) of the Passenger root path (/usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems/passenger-5.3.2) can be changed by non-root user(s):**
- /usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems is not secure: it can be modified by group rvm
- /usr/local/rvm/gems is not secure: it can be modified by group rvm
Please either fix up the permissions for the insecure paths, or install Passenger in a different location that can only be modified by root.
请修复不安全路径的权限,或者将Passenger 安装在只能由root 修改的其他位置。
[ N 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:937 ]: Passenger core online, PID 28652
[Thu Jul 05 07:58:30.327114 2018] [mpm_prefork:notice] [pid 7157] AH00163: Apache/2.4.29 (Unix) mod_hive/6.6 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 Phusion_Passenger/5.3.2 configured -- resuming normal operations
[Thu Jul 05 07:58:30.327141 2018] [core:notice] [pid 7157] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
[ N 2018-07-05 07:58:30.5457 27311/T1 age/Cor/CoreMain.cpp:1187 ]: **Passenger core shutdown finished**
1 个解决方案
解决方案1
2 2020-02-18 01:31:30
The answer, for me :答案,对我来说:
1 - For the website in /opt/redmine/redmine-site-version 1 - 对于 /opt/redmine/redmine-site-version 中的网站
sudo chown www-data:redmine-user -R /opt/redmine/
2 - 2 -
cd /opt
sudo chown root:root redmine/
cd /opt/redmine
sudo chown root:root .rvm/
cd /opt/redmine/.rvm
sudo chown root:root gems/
cd /opt/redmine/.rvm/gems
sudo chown root:root ruby-2.4.5@redmine-4.0-stable-prod-unis
cd /opt/redmine/.rvm/gems/ruby-2.4.5@redmine-4.0-stable-prod-unis
sudo chown root:root gems/
cd /opt/redmine/.rvm/gems/ruby-2.4.5@redmine-4.0-stable-prod-unis/gems
sudo chown root:root passenger-6.0.2
Restart Apache2重启Apache2
Look your logs.看看你的日志。
Redmine RVM 2020 : https://wiki.visionduweb.fr/index.php?title=Installer_Redmine_sur_Debian_avec_RVM#Notes_de_s.C3.A9curit.C3.A9 Redmine RVM 2020: https ://wiki.visionduweb.fr/index.php?title = Installer_Redmine_sur_Debian_avec_RVM#Notes_de_s.C3.A9curit.C3.A9
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.