On Fri, Mar 31, 2023 at 2:46 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote: > > On Fri, Mar 31, 2023 at 2:27 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote: > > > > Hello, > > > > On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert <s.helmert@xxxxxxx> wrote: > > > > > > in my setup, httpd runs on a specific uid and delegates transfers to > > > mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid. > > > > > > The problem is: httpd runs ap_directory_walk() with its own uid before > > > delegating to mpm_itk with the dynamic uid. This fails, because httpd > > > doesn't have the permissions to read the directory. > > > > > > How can I disable ap_directory_walk() or delegate it to mpm_itk? > > > > I can't think of a configuration that could change this behaviour, but > > if you can patch mpm_itk I'd suggest to try to make the > > itk_post_perdir_config hook an itk_map_to_storage hook instead > > (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so > > that the next map_to_storage hooks run too). > > > > That's from a quick look at mpm_itk code (and I know very little about > > this MPM), but it looks like it could work.. > > So something like the attached patch possibly. [sorry for the spam, reading more of mpm_itk code..] The comment on itk_dirwalk_stat() suggests that it should be allowed to read any file with httpd's uid/gid rights and that the switch to AssignUserID should happen later (though there is an issue with kept-alive connections obviously once the ids are changed..). So I'm not sure what the security model of mpm_itk is, it seems that files should still be "owned" by httpd's user so that once AssignUserID is in place it can't do anything with them, which is not the same as setting files access rights to each AssignUserID individually. So be aware that the proposed patch here is probably not what mpm_itk users usually want.. > > > > > Regards; > > Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx