Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Apache 2.4 doesn't respect UNIX file permissions under htdocs
10 views
Skip to first unread message
Piano School Zurich
Oct 24, 2023, 6:22:43 AM10/24/23
to
Could not crack it despite 30 years marriage with Unix...
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt
/var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt
/var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
0 new messages