You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Martin Vysny (JIRA)" <ji...@codehaus.org> on 2006/05/21 12:02:41 UTC
[jira] Created: (MSITE-141) Possible security hole when deploying
site
Possible security hole when deploying site
------------------------------------------
Key: MSITE-141
URL: http://jira.codehaus.org/browse/MSITE-141
Project: Maven 2.x Site Plugin
Type: Bug
Versions: 2.0-beta-5
Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
Reporter: Martin Vysny
Priority: Critical
When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
chmod -Rf g+w /foo/bar/
it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (MSITE-141) Possible security hole when deploying
site
Posted by "Lukas Theussl (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=185086#action_185086 ]
Lukas Theussl commented on MSITE-141:
-------------------------------------
The maven 1 site plugin had the two options maven.site.chmod.options and maven.site.chmod.mode. I guess we should add similar parameters to make it configurable, as the chmod command is currently hard-coded in SiteDeployMojo and SiteStageDeployMojo.
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Components: site:deploy
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
> Fix For: 2.1
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MSITE-141) Possible security hole when deploying
site
Posted by "Martin Vysny (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_65649 ]
Martin Vysny commented on MSITE-141:
------------------------------------
Well, that may be required when the group is set correctly. However on my provider's web server new files are created simply with group "users". And I certainly don't want to allow all users to rewrite my files. So, it should be optional whether to use this chmod command or not.
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Type: Bug
> Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (MSITE-141) Possible security hole when deploying
site
Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Lundberg updated MSITE-141:
----------------------------------
Fix Version/s: (was: 2.0-beta-7)
2.0-beta-8
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Components: site:deploy
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
> Fix For: 2.0-beta-8
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (MSITE-141) Possible security hole when deploying
site
Posted by "Lukas Theussl (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukas Theussl closed MSITE-141.
-------------------------------
Assignee: Lukas Theussl
Resolution: Fixed
Done in [r798916|http://svn.apache.org/viewvc?view=rev&revision=798916]
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Components: site:deploy
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Assignee: Lukas Theussl
> Priority: Critical
> Fix For: 2.1
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MSITE-141) Possible security hole when deploying
site
Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Lundberg updated MSITE-141:
----------------------------------
Component/s: site:deploy
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Components: site:deploy
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
> Fix For: 2.0-beta-7
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MSITE-141) Possible security hole when deploying
site
Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_65647 ]
Dennis Lundberg commented on MSITE-141:
---------------------------------------
No, it is meant to be like that. See MSITE-24.
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Type: Bug
> Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (MSITE-141) Possible security hole when deploying
site
Posted by "Christopher McIntosh (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_74000 ]
Christopher McIntosh commented on MSITE-141:
--------------------------------------------
When will this issue be addressed? My web host provider, refuses to serve pages whose group mod is 'w'. I tried using the <filePermissions> and <directoryPermissions> in settings.xml; but even that does not work...
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MSITE-141) Possible security hole when deploying
site
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MSITE-141:
-------------------------------
Fix Version/s: 2.0-beta-7
> Possible security hole when deploying site
> ------------------------------------------
>
> Key: MSITE-141
> URL: http://jira.codehaus.org/browse/MSITE-141
> Project: Maven 2.x Site Plugin
> Issue Type: Bug
> Affects Versions: 2.0-beta-5
> Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
> Reporter: Martin Vysny
> Priority: Critical
> Fix For: 2.0-beta-7
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira