Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)
From: Edward Welbourne <eddy@opera.com>
Date: Tue, 06 Jul 2010 11:56:50 +0200
Message-id: <[🔎] 20100706095650.23379.87599.reportbug@whorl>
Reply-to: eddy@opera.com, 588231@bugs.debian.org

Package: apache2.2-common
Version: 2.2.15-5
Severity: minor


I use symlinks extensively, to expose fragments of my working
directories (development source trees) in my userdir (all of which is
subject to LDAP-based authentication).  I had unwittingly set up some
symlinks that went via directories which were drwx--s--- (in group
cvs, to which www-data doesn't belong) and thus inaccessible to the
web-server (running as user www-data), but the symlinks pointed to
sub-sub-directories which were drwxr-xr-x.  The web-server succeeded
in displaying the contents *usually*, but one of my colleagues noticed
that, on reload, he got 403'd.

The fact that this (mostly) worked at all suggests that apache is
sometimes accessing content as root, instead of as the unprivileged
user www-data.  The problem *might* be that Linux (the underlying O/S)
is being flaky about enforcing permissions.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  actions alias auth_basic authn_file authnz_ldap authz_default
  authz_host authz_user autoindex cgi dir env ldap mime negotiation
  perl reqtimeout setenvif ssl status userdir

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_GB.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.2.15-5   Apache HTTP Server - traditional n
ii  apache2.2-common              2.2.15-5   Apache HTTP Server common files

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils                 2.2.15-5   utility programs for webservers
ii  apache2.2-bin                 2.2.15-5   Apache HTTP Server common binary f
ii  libmagic1                     5.04-2     File type determination library us
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap
ii  perl                          5.10.1-13  Larry Wall's Practical Extraction 
ii  procps                        1:3.2.8-9  /proc file system utilities

-- no debconf information

Reply to:

Follow-Ups:
- Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#587685: marked as done (apache2: lenny8 rev broke DirectoryIndex processing)
Next by Date: Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)
Previous by thread: Bug#587685: marked as done (apache2: lenny8 rev broke DirectoryIndex processing)
Next by thread: Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)
Index(es):
- Date
- Thread