Bug#588231: apache2: Haphazard permission check on symlinks (might be a Linux bug)
Package: apache2.2-common
Version: 2.2.15-5
Severity: minor
I use symlinks extensively, to expose fragments of my working
directories (development source trees) in my userdir (all of which is
subject to LDAP-based authentication). I had unwittingly set up some
symlinks that went via directories which were drwx--s--- (in group
cvs, to which www-data doesn't belong) and thus inaccessible to the
web-server (running as user www-data), but the symlinks pointed to
sub-sub-directories which were drwxr-xr-x. The web-server succeeded
in displaying the contents *usually*, but one of my colleagues noticed
that, on reload, he got 403'd.
The fact that this (mostly) worked at all suggests that apache is
sometimes accessing content as root, instead of as the unprivileged
user www-data. The problem *might* be that Linux (the underlying O/S)
is being flaky about enforcing permissions.
-- Package-specific info:
List of enabled modules from 'apache2 -M':
actions alias auth_basic authn_file authnz_ldap authz_default
authz_host authz_user autoindex cgi dir env ldap mime negotiation
perl reqtimeout setenvif ssl status userdir
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_GB.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.15-5 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.15-5 Apache HTTP Server common files
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.15-5 utility programs for webservers
ii apache2.2-bin 2.2.15-5 Apache HTTP Server common binary f
ii libmagic1 5.04-2 File type determination library us
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii perl 5.10.1-13 Larry Wall's Practical Extraction
ii procps 1:3.2.8-9 /proc file system utilities
-- no debconf information
Reply to: