--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2-mpm-itk: wrong 403 response when requesting .htaccess protected files from a different UserID in a persistent connection
- From: Henrik Heil <h.heil@zweipol.net>
- Date: Thu, 10 May 2012 09:15:08 +0200 (CEST)
- Message-id: <20120510.091508.1656035091538259726.h.heil@zweipol.net>
Package: apache2-mpm-itk
Version: 2.2.16-6+squeeze4
Severity: important
This is a known bug that is fixed in testing. The report is primarily
to back the request for including the patch in s-p-u.
The upstream-patch is attached for completeness.
Steps to reproduce:
-------------------
useradd user1
useradd user2
cat >> /etc/hosts <<EOF
127.0.0.1 itk1.local
127.0.0.1 itk2.local
EOF
cat > /etc/apache2/sites-enabled/itk1 <<EOF
<VirtualHost *:80>
AssignUserID user1 user1
ServerName itk1.local
DocumentRoot /tmp/itk1
</VirtualHost>
EOF
cat > /etc/apache2/sites-enabled/itk2 <<EOF
<VirtualHost *:80>
AssignUserID user2 user2
ServerName itk2.local
DocumentRoot /tmp/itk2
</VirtualHost>
EOF
mkdir /tmp/itk1 /tmp/itk2
cat > /tmp/itk1/index.html <<EOF
<h1>itk1</h1>
<a href="http://itk2.local/">itk2</a>
EOF
cat > /tmp/itk2/index.html <<EOF
<h1>itk2</h1>
<a href="http://itk1.local/">itk1</a>
EOF
touch /tmp/itk1/.htaccess
touch /tmp/itk2/.htaccess
chown -R user1:user1 /tmp/itk1
chown -R user2:user2 /tmp/itk1
chmod o-rwx /tmp/itk1/.htaccess
chmod o-rwx /tmp/itk2/.htaccess
apache2ctl restart
$BROWSER http://itk1.local/
Then switch between the two sites by clicking the links a few times
and you will get a wrong 403 response, given that you have "KeepAlive
On" in /etc/apache/apache2.conf and $BROWSER supports persistent
connections.
Upstream-patch:
---------------
Fix an issue where users can sometimes get spurious 403s on persistent
connections (the description in the comments explains the logic).
This would particularly hit people with reverse proxies, since these
have a higher tendency of accessing things from different vhosts in
the same connection.
Index: httpd-2.2.17/server/config.c
===================================================================
--- httpd-2.2.17.orig/server/config.c
+++ httpd-2.2.17/server/config.c
@@ -1840,6 +1840,34 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
else {
if (!APR_STATUS_IS_ENOENT(status)
&& !APR_STATUS_IS_ENOTDIR(status)) {
+#ifdef ITK_MPM
+ /*
+ * If we are in a persistent connection, we might end up in a state
+ * where we can no longer read .htaccess files because we have already
+ * setuid(). This can either be because the previous request was for
+ * another vhost (basically the same problem as when setuid() fails in
+ * itk.c), or it can be because a .htaccess file is readable only by
+ * root.
+ *
+ * In any case, we don't want to give out a 403, since the request has
+ * a very real chance of succeeding on a fresh connection (where
+ * presumably uid=0). Thus, we give up serving the request on this
+ * TCP connection, and do a hard close of the socket. As long as we're
+ * in a persistent connection (and there _should_ not be a way this
+ * would happen on the first request in a connection, save for subrequests,
+ * which we special-case), this is allowed, as it is what happens on
+ * a timeout. The browser will simply open a new connection and try
+ * again (there's of course a performance hit, though, both due to
+ * the new connection setup and the fork() of a new server child).
+ */
+ if (r->main == NULL && getuid() != 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
+ "Couldn't read %s, closing connection.",
+ filename);
+ ap_lingering_close(r->connection);
+ exit(0);
+ }
+#endif
ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r,
"%s pcfg_openfile: unable to check htaccess file, "
"ensure it is readable",
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (700, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-mpm-itk depends on:
ii apache2.2-bin 2.2.16-6+squeeze4 Apache HTTP Server common binary f
ii apache2.2-common 2.2.16-6+squeeze4 Apache HTTP Server common files
apache2-mpm-itk recommends no packages.
apache2-mpm-itk suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 672333-close@bugs.debian.org
- Subject: Bug#672333: fixed in apache2 2.2.16-6+squeeze8
- From: Stefan Fritsch <sf@debian.org>
- Date: Wed, 12 Sep 2012 22:32:16 +0000
- Message-id: <E1TBvTk-00083k-RS@franck.debian.org>
Source: apache2
Source-Version: 2.2.16-6+squeeze8
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672333@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Sep 2012 23:08:04 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze8
Distribution: squeeze
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 671204 672333 677086
Changes:
apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
.
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
prevent a possible XSS vulnerability for a site where untrusted users
can upload files to a location with MultiViews enabled.
* Send 408 status instead of 400 if reading of a request fails with a
timeout. This allows browsers to retry. Closes: #677086
* mod_cache: Prevent Partial Content responses from being cached and served
as normal response. Closes: #671204
* mpm_itk: Fix an issue where users can sometimes get spurious 403s on
persistent connections. Closes: #672333
Checksums-Sha1:
b308be271ebd4ef9870ca1bba32c38c0658290fe 1832 apache2_2.2.16-6+squeeze8.dsc
c535230f6f8c32020a2446e73cbe46092f17fa9c 225359 apache2_2.2.16-6+squeeze8.diff.gz
f9482cd65b5dccd1535033f338ce003bd20f3b92 2305160 apache2-doc_2.2.16-6+squeeze8_all.deb
d42c1a654dbfcdf023116458ee430514e6526f93 308732 apache2.2-common_2.2.16-6+squeeze8_i386.deb
68ede4f69e4cd0747c9fc6bb11ee823fc326306d 1354090 apache2.2-bin_2.2.16-6+squeeze8_i386.deb
7d0b49997613fce06d3ab2d781664dc43573cf61 2230 apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
0c665c009ff5f08687be97a527fb862f680e3548 2286 apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
299de8890de38d0fb1474a624df4154a80b29151 2258 apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
927f0935367d3525790defe597c68b2d8f6dc4a9 2292 apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
2a768453fd7afd59430c8290b0d7a4dc4d67b665 165530 apache2-utils_2.2.16-6+squeeze8_i386.deb
631e90da177de473e73caa1deadcc4e12471d9fd 100062 apache2-suexec_2.2.16-6+squeeze8_i386.deb
042142d042131e3e3a6df65515bd3f966e89ccfe 101624 apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
98a3b7a875b82bedd552615713aa8c6ff55d3ab5 1392 apache2_2.2.16-6+squeeze8_i386.deb
4979d8a8b3a141475f789e5e24911e46cd8f18e8 137238 apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
89f7e866e00ba25d7e4e6ef5589b0fae75dbedb3 138374 apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
abb7ace72b437b5a19d07592dbc9c141c9b5a071 2681686 apache2-dbg_2.2.16-6+squeeze8_i386.deb
Checksums-Sha256:
97ecd4ae85440968b15fdb529989c8e31b24767dd1f9846110364b1f04bf3a58 1832 apache2_2.2.16-6+squeeze8.dsc
6f45f0c0ca30b27bbe12696166b47be0318ead3d4bdac046369679dd15e19475 225359 apache2_2.2.16-6+squeeze8.diff.gz
018f452f7d08fe01ad3a6ae4c9258b22c0d8a89ccaef41fff438180099ecc97e 2305160 apache2-doc_2.2.16-6+squeeze8_all.deb
e4ae68774cd678361849afd593c913a3138b3e1860e951ca5c66ace16a655b84 308732 apache2.2-common_2.2.16-6+squeeze8_i386.deb
39d92447b38a40220fb0587b124649977600565b7772462f8433558f549efcff 1354090 apache2.2-bin_2.2.16-6+squeeze8_i386.deb
348a65bb43ecbfaa28368846db93617b5c3590f08cb5056469db339175a3b987 2230 apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
54ce34b4f629a2e0c099333aa0b876f1a52edf1cc922aed9de97713b50d045e8 2286 apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
73405540e305e5820b72a59ac1540fa4b2308419e4ae33478dfd106badffeaf5 2258 apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
0dac2b1dcf18a234c2f94f024e056aac2fc57d1b8edbd55358ff73ed4b4b14c6 2292 apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
172afc24e9b6193cb48d115586a53761977004b8d7fe8124efe5745607f68880 165530 apache2-utils_2.2.16-6+squeeze8_i386.deb
2faa3349cce0a332f67100f85c0e8b3da3760537b1ac2834ff7762e4d0e4b26c 100062 apache2-suexec_2.2.16-6+squeeze8_i386.deb
10ca1c9421364915c5c633c52ec74b80bc0cc968e419b86e680c4ac6349a0e96 101624 apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
4651804047fb92be73fef24cbea443cec46e206779666bbf08815a70fbbeadd4 1392 apache2_2.2.16-6+squeeze8_i386.deb
4e86b56a730226d1226b72457e49dc19b173b33ea54062ad3d1ce09d606da0c5 137238 apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
5c8fdd3c51bd114d54025383720640dd3e46aba9f4559ff355e79f9a64b647f9 138374 apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
7d641e125b469acf14523600070badb71c17fd7d1d3b244f7b4bf4094bd8b7cd 2681686 apache2-dbg_2.2.16-6+squeeze8_i386.deb
Files:
93dedf30664000765e6e9c48ca9eb81a 1832 httpd optional apache2_2.2.16-6+squeeze8.dsc
3f0e7dec82adfe5802023b07c8bc97aa 225359 httpd optional apache2_2.2.16-6+squeeze8.diff.gz
413976ec79dcc824d148761c7a3037e8 2305160 doc optional apache2-doc_2.2.16-6+squeeze8_all.deb
51cbacc577e2ac6038630abe9081949a 308732 httpd optional apache2.2-common_2.2.16-6+squeeze8_i386.deb
9cdecaf5c62a2bfec99a91767707ae76 1354090 httpd optional apache2.2-bin_2.2.16-6+squeeze8_i386.deb
a9876c92f9b4a9893b45f069bd82138e 2230 httpd optional apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
3ecd0e355098555c5095469ea2782815 2286 httpd optional apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
9f43aff5c8b2cc6a478272b107cb6083 2258 httpd optional apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
725e6637966a2c6da7af5efb05857627 2292 httpd extra apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
905ac52c11c8c177f5aab6217900ac47 165530 httpd optional apache2-utils_2.2.16-6+squeeze8_i386.deb
4bc2081e3215c535da427d027d840758 100062 httpd optional apache2-suexec_2.2.16-6+squeeze8_i386.deb
f1a87bfa633fab355ef8dcb5f78265a9 101624 httpd extra apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
706e39696e6442dbd88acf9ec6bf00b6 1392 httpd optional apache2_2.2.16-6+squeeze8_i386.deb
a10fe5ac68c48376f429c1e0af8b3257 137238 httpd extra apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
308d86aec4e498e91c527b5178490011 138374 httpd extra apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
70f27aff5fd224478b7732873ef7a42e 2681686 debug extra apache2-dbg_2.2.16-6+squeeze8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQUOqWbxelr8HyTqQRAgzVAKDfRiukFJLYL9GGepsGdFyk4Ya29ACeM0Jh
N8QjAfoNUDD/tb9hGI9jHwc=
=YdMu
-----END PGP SIGNATURE-----
--- End Message ---