info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Apache 2.4 doesn't respect UNIX file permissions under htdocs
5 views
Skip to first unread message
Piano School Zurich
Oct 24, 2023, 6:22:43 AM10/24/23
to
Could not crack it despite 30 years marriage with Unix...
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt
/var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt
/var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
0 new messages