Fossil: Artifact [cf0d157040]

Artifact cf0d15704098422a3a256085aef1aaee0fcd7bd7:

Ticket change [cf0d157040] - New ticket [c9e84b5671] fossil treats anybody connecting from 127.0.0.1 as user with UID 1. by anonymous 2010-11-18 01:05:05.

D 2010-11-18T01:05:05
J comment Even\sin\sserver\smode,\sfossil\sconsiders\sany\suser\sconnecting\sfrom\s127.0.0.1\sto\sbe\ssuper\suser.\sIt\sseems\slike\sno\spolicy\smechanism\sis\sin\seffect\swhatsoever.\sThis\sis\sespecially\stroubling\sin\scase\syou\sare\sproxy-ing\straffic\sfrom\sa\sweb\sserver\s(say\slighttpd)\sto\sa\sfossil\sinstance\sin\sserver\smode,\swhere\sboth\sprograms\srun\son\sthe\ssame\smachine.\r\n\r\nAlso,\swhen\sconnecting\sto\sa\sfossil\sserver\sover\sSSH\sand\sboth\sSSHd\sand\sfossil\srun\son\sthe\ssame\smachine,\syour\sconnection\sis\sconsidered\sto\soriginate\sfrom\s127.0.0.1.\sNo\spolicy\scan\sbe\sapplied\son\ssuch\susers\sand\sanybody\sconnecting\sin\sthis\sway\sis\streated\sas\ssuper\suser.\r\nThis\snot\sonly\saffects\sfossil\sin\sserver\smode\sbut\salso\sfossil\srunning\sas\sCGI\sexecuted\sby\sweb\sserver,\sif\sthe\sweb\sserver\sand\sSSHd\sare\son\sthe\ssame\smachine.
J foundin 9c31866404
J private_contact 68272c6eae73c7078fef2abf11458ad864fc0aad
J severity Severe
J status Open
J title fossil\streats\sanybody\sconnecting\sfrom\s127.0.0.1\sas\suser\swith\sUID\s1
J type Feature_Request
K c9e84b567178d755d216f095ca98da3a92d6a4cd
U anonymous
Z 7db286aee81e1a3df6f816843061999b