Received: (qmail 80232 invoked by uid 501); 9 May 2001 10:52:19 -0000 Message-Id: <20010509105219.80231.qmail@apache.org> Date: 9 May 2001 10:52:19 -0000 From: Gwenael Letellier Reply-To: glr@INTRINsec.com To: submit@bugz.apache.org Subject: Apache doesn't understand XFS ACLs X-Send-Pr-Version: 3.110 >Number: 7690 >Category: os-linux >Synopsis: Apache doesn't understand XFS ACLs >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed May 09 04:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: glr@INTRINsec.com >Release: 1.3.14;1.3.19 >Organization: apache >Environment: Linux - 2.4.2XFSv1 Stock RedHat 7.1 with SGI XFSv1 Installer CD Apache 1.3.19 >Description: Hi, This bug is being submitted both to XFS and Apache bug reporting systems. First thank you all at SGI for the great work. RH-71 with XFS root installed nicely on my laptop. Now my problem : I have been taking a look at XFS ACLs, and there seem to be a problem with apache not taking XFS ACLs into account. Details : Software versions : stock RH-71 with XFS-1.0 install disk, Apache-1.3.19 Problem : say I have a user called gwen, with home directory /home/gwen. Apache is running under apache.apache and user home directories are configured to be readable as ~gwen for /home/gwen/public_html. Apache indexes on index.html. If I set the following perms, without any ACLs, everything is working fine : drwxr-xr-x root root /home drwx-----x gwen gwen /home/gwen drwx---r-x gwen gwen /home/gwen/public_html -rwx---r-- gwen gwen /home/gwen/public_html/index.html I have access to index.html, which prints out a nice "Hello, World!" ;-). If I want to be more restrictive, and use ACLs to allow access to this file only to the user named apache, and/or (tried both) to the group named apache, I get a 403 Forbidden error from apache. Permissions are set the following way : drwxr-xr-x root root /home drwx------ gwen gwen /home/gwen drwx------ gwen gwen /home/gwen/public_html -rwx------ gwen gwen /home/gwen/public_html/index.html and the following ACLs are set too, for the user apache, group apache : d--x--x--- apache apache /home/gwen dr-xr-x--- apache apache /home/gwen/public_html -r-xr-x--- apache apache /home/gwen/public_html/index.html I don't know whether I did something wrong in ACL settings. I think it has to do with the way Apache checks for perms. >How-To-Repeat: Just configure a "normal" apache on a Linux/XFS system. >Fix: Beware ! I am in no way a C expert nor an Apache source code expert. The following hint is just my understanding of the problem after wandering through the code. I think this is because Apache does its own permission check (using stat) before opening the file. Trying to fopen the file even if apache perm check failed might solve the problem. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]