[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#672333: apache2-mpm-itk: wrong 403 response when requesting .htaccess protected files from a different UserID in a persistent connection

Package: apache2-mpm-itk
Version: 2.2.16-6+squeeze4
Severity: important

This is a known bug that is fixed in testing. The report is primarily
to back the request for including the patch in s-p-u.

The upstream-patch is attached for completeness.

Steps to reproduce:

useradd user1
useradd user2

cat >> /etc/hosts <<EOF  itk1.local  itk2.local

cat > /etc/apache2/sites-enabled/itk1 <<EOF
<VirtualHost *:80>
    AssignUserID user1 user1
    ServerName itk1.local
    DocumentRoot /tmp/itk1

cat > /etc/apache2/sites-enabled/itk2 <<EOF
<VirtualHost *:80>
    AssignUserID user2 user2
    ServerName itk2.local
    DocumentRoot /tmp/itk2

mkdir /tmp/itk1 /tmp/itk2

cat > /tmp/itk1/index.html <<EOF
<a href="http://itk2.local/";>itk2</a>

cat > /tmp/itk2/index.html <<EOF
<a href="http://itk1.local/";>itk1</a>

touch /tmp/itk1/.htaccess
touch /tmp/itk2/.htaccess

chown -R user1:user1 /tmp/itk1
chown -R user2:user2 /tmp/itk1

chmod o-rwx /tmp/itk1/.htaccess
chmod o-rwx /tmp/itk2/.htaccess

apache2ctl restart

$BROWSER http://itk1.local/

Then switch between the two sites by clicking the links a few times
and you will get a wrong 403 response, given that you have "KeepAlive
On" in /etc/apache/apache2.conf and $BROWSER supports persistent


Fix an issue where users can sometimes get spurious 403s on persistent
connections (the description in the comments explains the logic).
This would particularly hit people with reverse proxies, since these
have a higher tendency of accessing things from different vhosts in
the same connection.

Index: httpd-2.2.17/server/config.c
--- httpd-2.2.17.orig/server/config.c
+++ httpd-2.2.17/server/config.c
@@ -1840,6 +1840,34 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
         else {
             if (!APR_STATUS_IS_ENOENT(status)
                 && !APR_STATUS_IS_ENOTDIR(status)) {
+#ifdef ITK_MPM
+                /*
+                 * If we are in a persistent connection, we might end up in a state
+                 * where we can no longer read .htaccess files because we have already
+                 * setuid(). This can either be because the previous request was for
+                 * another vhost (basically the same problem as when setuid() fails in
+                 * itk.c), or it can be because a .htaccess file is readable only by
+                 * root.
+                 *
+                 * In any case, we don't want to give out a 403, since the request has
+                 * a very real chance of succeeding on a fresh connection (where
+                 * presumably uid=0). Thus, we give up serving the request on this
+                 * TCP connection, and do a hard close of the socket. As long as we're
+                 * in a persistent connection (and there _should_ not be a way this
+                 * would happen on the first request in a connection, save for subrequests,
+                 * which we special-case), this is allowed, as it is what happens on
+                 * a timeout. The browser will simply open a new connection and try
+                 * again (there's of course a performance hit, though, both due to
+                 * the new connection setup and the fork() of a new server child).
+                 */
+                if (r->main == NULL && getuid() != 0) {
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
+                                  "Couldn't read %s, closing connection.",
+                                  filename);
+                    ap_lingering_close(r->connection);
+                    exit(0);
+                }
                 ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r,
                               "%s pcfg_openfile: unable to check htaccess file, "
                               "ensure it is readable",

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (700, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2-mpm-itk depends on:
ii  apache2.2-bin          2.2.16-6+squeeze4 Apache HTTP Server common binary f
ii  apache2.2-common       2.2.16-6+squeeze4 Apache HTTP Server common files

apache2-mpm-itk recommends no packages.

apache2-mpm-itk suggests no packages.

-- no debconf information

Reply to: