Phusion Passenger 无法以 root 身份运行 - 警告:潜在的权限提升漏洞

【问题标题】:Phusion Passenger can't run as root - WARNING: potential privilege escalation vulnerabilityPhusion Passenger 无法以 root 身份运行 - 警告:潜在的权限提升漏洞
【发布时间】:2018-07-25 12:38:45
【问题描述】:

您好,我正在尝试通过乘客和 apache2 将我的 rails 应用程序部署到 VPS,但出现错误

   [ W 2018-02-14 21:02:37.0342 9640/T1 age/Cor/CoreMain.cpp:969 ]: WARNING: potential privilege escalation vulnerability. Phusion Passenger is running as root, and part(s) of the passenger root path (/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0) can be changed by non-root user(s):
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" is writeable by any user (or application). Limit write access on the path to only the root user/group.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.

我尝试更改权限,但没有成功 与

sudo chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0


sudo chown root:root /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0

我什至发现了同样的问题,但我不知道如何解决它...How can I avoid Phusion Passenger running as root?

【问题讨论】:

  • 现在我已经编辑了您的答案以显示各个行 - 您可以看到深度嵌套的目录并不是唯一具有特权的目录...从 /home/deploy 开始的每个子目录可能需要查看和chowned

标签: ruby-on-rails apache2 passenger vps production


【解决方案1】:

这里是乘客作者。您可以做的另一件事是使用 root 安装您的 RVM Ruby 和Passenger,而不是作为用户“部署”。这样一来,您的 Ruby 安装和Passenger 安装归根用户所有,您不会看到此警告。

甚至更好:使用我们的原生 Debian/Ubuntu/CentOS 软件包。

【讨论】:

  • 下次我检查一下。
【解决方案2】:

我还想提供一些见解。 @Hongli's 答案还不是全部。 @Taryn East 是正确的。即使您 chown 每个目录,您也需要 chmod 每个目录才能让Passenger 正常工作。

在您的示例中,您需要:

chmod 700 /home/deploy/.rvm
chmod 700 /home/deploy/.rvm/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0

【讨论】:

    猜你喜欢
    • 2023-04-09
    • 2018-12-13
    • 2013-06-29
    • 2012-05-03
    • 2021-10-10
    • 1970-01-01
    • 2016-01-25
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode