Apache 2.4, NFS-mounted content, strict permissions & htaccess

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list,

I'm running into permission trouble with Apache 2.4 (and mpm-itk, though
i wonder if this is solely mpm-itk related). It was also reported about a
year ago on the mpm-itk mailinglist. The archives are down so i
some-what reconstructed that thread here: https://8n1.org/10728/cbbe

I'm seeing the exact same behaviour.

Our site-content is on an NFS-mount, it does *NOT* have root_squash
enabled, the site parent directories are all 0700 (drwx------) for the
users that 'own' the site.

Apache 2.4/mpm-itk fails to serve sites from this NFS setup. When i move
the site to local storage with exact same permissions it works fine.
Also, if i set +x bits on all parent directores on the NFS setup, it
works.

    f: /mnt/nfs/h/http-test/htdocs/.htaccess
    drwxr-xr-x root      root                 /
    drwxr-xr-x root      root                 mnt
    drwxr-x--x root      root                 nfs
    drwxr-xr-x root      root                 h
    drwx------ http-test http-linux_http-test http-test
    drwx------ http-test http-linux_http-test htdocs
    -rw------- http-test http-linux_http-test .htaccess

As shown in the reconstructed thread paste above, this has to do with
Apache 2.4 running a few threads as www-data, not root as it was in 2.2.

Does anyone know of any fix for this issue? Other than setting +x bit on
all parent directories, which introduces security risks of its own?

Basically we can't use Apache 2.4/itk with our NFS-setup now.
I'm not entirely sure if this is Apache 2.4 core or mpm-itk (which is
not part of Apache itself) related. As shown in the paste, just before
Apache calls ap_run_open_htaccess, its uid is 33 (www-data) which
explains why it can't read the htdocs/ folder. It used to be root (i
haven't tested this, but it must be).

Any ideas how to tackle this would be more than welcome!

Kind reagrds,
-Sander.
-- 
| Q: Why do you never see elephants hiding in trees?
| A: They're really good at it
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux