Dolibarr .deb package: Whole installation writable for web server user reduces security

intern23 · November 20, 2023, 9:12am

I already made a related post with background information here:
However, I want to clarify the root issue and would love to hear feedback from the developers.

The issue is that dolibarr.postinst assigns the entire usr/share/dolibarr folder to the webuser www-data and also grants editing rights. This means that not only conf.php is writable, but the whole folder with its contents. This also means that the issue at large is not fixed by just changing conf.php from write to read, as suggested before.

For reference:

mkdir -p /etc/dolibarr
touch /etc/dolibarr/conf.php
chown root:www-data /etc/dolibarr/conf.php
chmod 660 /etc/dolibarr/conf.php
...
webuser=www-data
webgroup=www-data
...
chown -R $webuser:$webgroup /usr/share/dolibarr

Essentially, this allows someone with (malicious intent and) access through dolibarr to the www-data user to edit files in usr/share/dolibarr and consequently access to a vulnerability (folder-wide and unnecessary editing rights).

This is an opportunity for attackers to recieve access to:

change the installation and
permanently launch attacks on the system and
recieve access to the system beyond dolibarr

It would be appreciated if the devs changed the .deb package so that the edit rights for the www-user won’t be granted to begin with. That way the potential security risk can be reduced.

jonbendtsen · November 21, 2023, 9:56pm

I don’t use the debian package, I use tuxgasy container, but your post has made me want to check how it is inside the container.

Seems to be the same inside the container

dolibarr@jhetz:~$ punter sleepy_cartwright bash
root@88d96ed18c85:/var/www/html# ls -la
total 604
drwxrwxrwt   1 www-data www-data   4096 Nov 18 02:16 .
drwxr-xr-x   1 www-data www-data   4096 Nov 18 02:16 ..
drwxr-xr-x  11 www-data www-data   4096 Nov 18 02:16 accountancy
drwxr-xr-x   9 www-data www-data   4096 Nov 18 02:16 adherents
drwxr-xr-x   6 www-data www-data   4096 Nov 18 02:16 admin
drwxr-xr-x   4 www-data www-data   4096 Nov 18 02:16 api
drwxr-xr-x   6 www-data www-data   4096 Nov 18 02:16 asset
drwxr-xr-x   2 www-data www-data   4096 Nov 18 02:16 asterisk
drwxr-xr-x   2 www-data www-data   4096 Nov 18 02:16 barcode
drwxr-xr-x   6 www-data www-data   4096 Nov 18 02:16 blockedlog
drwxr-xr-x   6 www-data www-data   4096 Nov 18 02:16 bom
drwxr-xr-x   5 www-data www-data   4096 Nov 18 02:16 bookcal
drwxr-xr-x   4 www-data www-data   4096 Nov 18 02:16 bookmarks
drwxr-xr-x   4 www-data www-data   4096 Nov 18 02:16 categories
drwxr-xr-x   2 www-data www-data   4096 Nov 18 02:16 collab
drwxr-xr-x   7 www-data www-data   4096 Nov 18 02:16 comm
...