ruby-on-rails - Phusion Passenger 以 root 身份运行,Passenger 根路径 () 的一部分可以由非 root 用户更改
问题描述
[Thu Jul 05 07:58:30.268108 2018] [core:warn] [pid 7157] AH00117: Ignoring deprecated use of DefaultType in line 111 of /usr/local/apache/conf/httpd.conf.
[Thu Jul 05 07:58:30.268302 2018] [alias:warn] [pid 7157] AH00671: The Alias directive in /usr/local/apache/conf/httpd.conf at line 318 will probably never match because it overlaps an earlier Alias.
[Thu Jul 05 07:58:30.270866 2018] [:notice] [pid 7157] HiveEXEC mechanism enabled (wrapper: /usr/local/1h/sbin/hive_exec)
[Thu Jul 05 07:58:30.276835 2018] [:notice] [pid 28647] FastCGI: process manager initialized (pid 28647)
[ N 2018-07-05 07:58:30.2928 28649/T1 age/Wat/WatchdogMain.cpp:1297 ]: Starting Passenger watchdog...
[ N 2018-07-05 07:58:30.3078 28652/T1 age/Cor/CoreMain.cpp:1202 ]: Starting Passenger core...
[ N 2018-07-05 07:58:30.3079 28652/T1 age/Cor/CoreMain.cpp:252 ]: Passenger core running in multi-application mode.
[ W 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:929 ]: **WARNING: potential privilege escalation vulnerability detected. Phusion Passenger is running as root, and part(s) of the Passenger root path (/usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems/passenger-5.3.2) can be changed by non-root user(s):**
- /usr/local/rvm/gems/ruby-2.4.1@myspace_new/gems is not secure: it can be modified by group rvm
- /usr/local/rvm/gems is not secure: it can be modified by group rvm
请修复不安全路径的权限,或者将Passenger安装在只能由root修改的其他位置。
[ N 2018-07-05 07:58:30.3242 28652/T1 age/Cor/CoreMain.cpp:937 ]: Passenger core online, PID 28652
[Thu Jul 05 07:58:30.327114 2018] [mpm_prefork:notice] [pid 7157] AH00163: Apache/2.4.29 (Unix) mod_hive/6.6 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 Phusion_Passenger/5.3.2 configured -- resuming normal operations
[Thu Jul 05 07:58:30.327141 2018] [core:notice] [pid 7157] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
[ N 2018-07-05 07:58:30.5457 27311/T1 age/Cor/CoreMain.cpp:1187 ]: **Passenger core shutdown finished**
解决方案
答案,对我来说:
1 - 对于 /opt/redmine/redmine-site-version 中的网站
sudo chown www-data:redmine-user -R /opt/redmine/
2 -
cd /opt
sudo chown root:root redmine/
cd /opt/redmine
sudo chown root:root .rvm/
cd /opt/redmine/.rvm
sudo chown root:root gems/
cd /opt/redmine/.rvm/gems
sudo chown root:root ruby-2.4.5@redmine-4.0-stable-prod-unis
cd /opt/redmine/.rvm/gems/ruby-2.4.5@redmine-4.0-stable-prod-unis
sudo chown root:root gems/
cd /opt/redmine/.rvm/gems/ruby-2.4.5@redmine-4.0-stable-prod-unis/gems
sudo chown root:root passenger-6.0.2
重启 Apache2
看看你的日志。
Redmine RVM 2020:https ://wiki.visionduweb.fr/index.php?title=Installer_Redmine_sur_Debian_avec_RVM#Notes_de_s.C3.A9curit.C3.A9
推荐阅读
- javascript - Node.js 子进程正确捕获 python 输出,除非输出出现在特定方法之后
- javascript - Angular:样式或类绑定、座位图
- wordpress - .htaccess 301 不映射子目录资产
- python - 检查输入是否为整数的问题(非常初学者)
- c++ - 在 C++ 中逐行读取字符串并且不要以空格停止
- java - IntelliJ/JDK 11:找不到符号名称()接口 java.lang.annotation.Annotation
- imgur - 在韩国上传图片时禁止出现错误 400
- kubernetes - 如何监控gcloud k8s HTTP失败率?
- java - 当 maven 构建运行测试时,Spring Boot 项目抛出 *$$EnhancerBySpringCGLIB 不是 @AspectJ 方面
- react-native - 键盘打开时TextInput不可见Expo React Native