[Popcon-developers] Bug#429405: Wrong usage of su in /etc/cron.weekly/popularity-contest (New bug)
Bill Allombert
Bill.Allombert at math.u-bordeaux1.fr
Mon Jun 18 15:53:12 UTC 2007
On Sun, Jun 17, 2007 at 10:32:25PM +0200, Klaus Ethgen wrote:
> Package: popularity-contest
> Version: 1.41
> Severity: important
>
> Long time now I got the following line every week:
> Jun 17 22:06:07 ikki popularity-contest: unable to submit report to http://popcon.debian.org/cgi-bin/popcon.cgi.
>
> I was wondering why I get this message as everything with this site was
> OK. Now I search a bit further and found the bug.
>
> Appear of that the error message is completely useless if the error
> occurs if the report is empty there is a wrong usage of 'su' in
> /etc/cron.weekly/popularity-contest. As you can see from 'getent passwd
> nobody':
> nobody:x:65534:65534:nobody:/nonexistent:/bin/false
Hello Klaus,
It is not the case on Debian by default:
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
Furthermore the point of user nobody is to be able to run process
that have no file access permission outside 'other' (since no files are
owned by user or group nobody). If you preclude it from running
programs, then this user is useless. If nobody does not have a default
shell, every usage of 'su nobody' must hard-code a shell instead of
following /etc/passwd. This is generally a bad thing. Only root can 'su
nobody' anyway.
/etc/cron.weekly/popularity-contest is not the only script to use
'su nobody' without -s.
Thanks for your interest in popularity-contest,
Bill.
More information about the Popcon-developers
mailing list