You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Martin Vysny (JIRA)" <ji...@codehaus.org> on 2006/05/21 12:02:41 UTC

[jira] Created: (MSITE-141) Possible security hole when deploying site

Possible security hole when deploying site
------------------------------------------

         Key: MSITE-141
         URL: http://jira.codehaus.org/browse/MSITE-141
     Project: Maven 2.x Site Plugin
        Type: Bug

    Versions: 2.0-beta-5    
 Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
    Reporter: Martin Vysny
    Priority: Critical


When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
chmod -Rf g+w /foo/bar/
it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (MSITE-141) Possible security hole when deploying site

Posted by "Lukas Theussl (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=185086#action_185086 ] 

Lukas Theussl commented on MSITE-141:
-------------------------------------

The maven 1 site plugin had the two options maven.site.chmod.options and maven.site.chmod.mode. I guess we should add similar parameters to make it configurable, as the chmod command is currently hard-coded in SiteDeployMojo and SiteStageDeployMojo.

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>          Components: site:deploy
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Priority: Critical
>             Fix For: 2.1
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (MSITE-141) Possible security hole when deploying site

Posted by "Martin Vysny (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_65649 ] 

Martin Vysny commented on MSITE-141:
------------------------------------

Well, that may be required when the group is set correctly. However on my provider's web server new files are created simply with group "users". And I certainly don't want to allow all users to rewrite my files. So, it should be optional whether to use this chmod command or not.

> Possible security hole when deploying site
> ------------------------------------------
>
>          Key: MSITE-141
>          URL: http://jira.codehaus.org/browse/MSITE-141
>      Project: Maven 2.x Site Plugin
>         Type: Bug

>     Versions: 2.0-beta-5
>  Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>     Reporter: Martin Vysny
>     Priority: Critical

>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Updated: (MSITE-141) Possible security hole when deploying site

Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Lundberg updated MSITE-141:
----------------------------------

    Fix Version/s:     (was: 2.0-beta-7)
                   2.0-beta-8

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>          Components: site:deploy
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Priority: Critical
>             Fix For: 2.0-beta-8
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Closed: (MSITE-141) Possible security hole when deploying site

Posted by "Lukas Theussl (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukas Theussl closed MSITE-141.
-------------------------------

      Assignee: Lukas Theussl
    Resolution: Fixed

Done in [r798916|http://svn.apache.org/viewvc?view=rev&revision=798916]

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>          Components: site:deploy
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Assignee: Lukas Theussl
>            Priority: Critical
>             Fix For: 2.1
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (MSITE-141) Possible security hole when deploying site

Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Lundberg updated MSITE-141:
----------------------------------

    Component/s: site:deploy

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>          Components: site:deploy
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Priority: Critical
>             Fix For: 2.0-beta-7
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (MSITE-141) Possible security hole when deploying site

Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_65647 ] 

Dennis Lundberg commented on MSITE-141:
---------------------------------------

No, it is meant to be like that. See MSITE-24.

> Possible security hole when deploying site
> ------------------------------------------
>
>          Key: MSITE-141
>          URL: http://jira.codehaus.org/browse/MSITE-141
>      Project: Maven 2.x Site Plugin
>         Type: Bug

>     Versions: 2.0-beta-5
>  Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>     Reporter: Martin Vysny
>     Priority: Critical

>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (MSITE-141) Possible security hole when deploying site

Posted by "Christopher McIntosh (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MSITE-141?page=comments#action_74000 ] 
            
Christopher McIntosh commented on MSITE-141:
--------------------------------------------

When will this issue be addressed?  My web host provider, refuses to serve pages whose group mod is 'w'.  I tried using the <filePermissions> and <directoryPermissions> in settings.xml; but even that does not work...

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Priority: Critical
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (MSITE-141) Possible security hole when deploying site

Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/MSITE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brett Porter updated MSITE-141:
-------------------------------

    Fix Version/s: 2.0-beta-7

> Possible security hole when deploying site
> ------------------------------------------
>
>                 Key: MSITE-141
>                 URL: http://jira.codehaus.org/browse/MSITE-141
>             Project: Maven 2.x Site Plugin
>          Issue Type: Bug
>    Affects Versions: 2.0-beta-5
>         Environment: Linux gentoo 2.6.16 64bit, maven 2.0.2
>            Reporter: Martin Vysny
>            Priority: Critical
>             Fix For: 2.0-beta-7
>
>
> When the site is deployed into a directory /foo/bar, the following command is issued over a ssh:
> chmod -Rf g+w /foo/bar/
> it was intended to use g+r I presume? :-)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira