Re: disable httpd ap_directory_walk() before mpm_itk transfer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 31, 2023 at 2:46 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
>
> On Fri, Mar 31, 2023 at 2:27 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
> >
> > Hello,
> >
> > On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert <s.helmert@xxxxxxx> wrote:
> > >
> > > in my setup, httpd runs on a specific uid and delegates transfers to
> > > mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid.
> > >
> > > The problem is: httpd runs ap_directory_walk() with its own uid before
> > > delegating to mpm_itk with the dynamic uid. This fails, because httpd
> > > doesn't have the permissions to read the directory.
> > >
> > > How can I disable ap_directory_walk() or delegate it to mpm_itk?
> >
> > I can't think of a configuration that could change this behaviour, but
> > if you can patch mpm_itk I'd suggest to try to make the
> > itk_post_perdir_config hook an itk_map_to_storage hook instead
> > (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so
> > that the next map_to_storage hooks run too).
> >
> > That's from a quick look at mpm_itk code (and I know very little about
> > this MPM), but it looks like it could work..
>
> So something like the attached patch possibly.

[sorry for the spam, reading more of mpm_itk code..]

The comment on itk_dirwalk_stat() suggests that it should be allowed
to read any file with httpd's uid/gid rights and that the switch to
AssignUserID should happen later (though there is an issue with
kept-alive connections obviously once the ids are changed..).
So I'm not sure what the security model of mpm_itk is, it seems that
files should still be "owned" by httpd's user so that once
AssignUserID is in place it can't do anything with them, which is not
the same as setting files access rights to each AssignUserID
individually.
So be aware that the proposed patch here is probably not what mpm_itk
users usually want..

>
> >
> > Regards;
> > Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux