[Secure-testing-team] Bug#739047: Bad Permissions check for linking files

[Narcis Garcia]

Package: webfs
Version: 1.21+ds1-8.1
Severity: normal
Tags: security upstream

I've trying webfsd 1.21 to serve gobby/infinoted files, but due to those problems:
http://gobby.0x539.de/trac/ticket/617
https://bugs.archlinux.org/task/18746
People cannot open files easily, and need to open more permissions than necessary.

Files are created with umask 077 (only owner reads; not the group), and webfsd only shows links to files in directory listings when the primary GROUP has read permission.

Files links should be made when the file is simply readable, because of owner, group or others. This situation (and combination) forces to set owner and group of files to match the primary UID & GID of this webserver.

-- System Information:
Debian Release: 7.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-openvz-042stab084.14-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages webfs depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38
ii  libgcrypt11            1.5.0-5+deb7u1
ii  libgnutls26            2.12.20-7
ii  ucf                    3.0025+nmu3

webfs recommends no packages.

webfs suggests no packages.

-- debconf information:
  webfsd/web_conn:
  webfsd/web_virtual: false
  webfsd/web_port:
  webfsd/web_user: www-data
  webfsd/web_cgipath:
  webfsd/web_syslog: false
  webfsd/web_group: www-data
  webfsd/web_ip:
  webfsd/web_extras:
  webfsd/web_index:
  webfsd/web_timeout:
  webfsd/web_host:
  webfsd/web_dircache:
  webfsd/pending: no
  webfsd/web_accesslog:
  webfsd/web_logbuffering: true
  webfsd/web_root: /srv/ftp