Foswiki on GitHub is open for business! Next release meeting: Monday October 13, 1300Z

Item10896: Insecure dependency in configure creating working directory under some environments

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine Configure PaulHarvey
From Item10873:

Initial run of configure, setup all the paths, and hit save. Insecure dependency in mkdir while running with -T switch at /home/litt/wikisvn/foswiki/trunk/core/lib/Foswiki/Configure/Checkers/WorkingDir.pm line 30. on save. Sigh. You'll want to do something like the patch below.

We were not able to reproduce, but the reporter's environment nonetheless produces the error. Timothe's VM produces:
Fresh install of fedora 15 under VirtualBox.  Started with unformatted disk  & fedora .iso, so it's a *really* fresh install :-)

Linux host.example.net 2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

perl 5, version 12, subversion 3 (v5.12.3) built for x86_64-linux-thread-multi

-- PaulHarvey - 18 Jun 2011

One clue - Checking logs it looks like selinux blocked access to LocalLib.cfg. I haven't had time to track back further, but I think that causes configure to take some different paths - something about reading only some of the spec files and/or treating them as data rather do/require? Memory's failing, but suspect this may have caused the WorkingDir value to come from the spec file rather than LocalSite.cfg. Which may be how it was tainted...

Hope this helps.

-- TimotheLitt - 28 Jun 2011

Support.Question891 has a different insecure dependency problem on Solaris

-- PaulHarvey - 07 Jul 2011
 

ItemTemplate edit

Summary Insecure dependency in configure creating working directory under some environments
ReportedBy PaulHarvey
Codebase 1.1.3, trunk
SVN Range
AppliesTo Engine
Component Configure
Priority Urgent
CurrentState Closed
WaitingFor PaulHarvey
Checkins distro:8f05b85826e7 distro:84bf01df0e03 distro:7d35999d315c distro:9ecd7e867a18
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r8 - 17 Dec 2011, GeorgeClark
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License