You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/07/08 11:04:50 UTC

DO NOT REPLY [Bug 10547] New: - 1.3.26 service requires read permission on directory above docroot

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10547>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10547

1.3.26 service requires read permission on directory above docroot

           Summary: 1.3.26 service requires read permission on directory
                    above docroot
           Product: Apache httpd-1.3
           Version: HEAD
          Platform: PC
               URL: N/A
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: grstarrett@cox.net


I have build 1.3.26 on a XP Pro, I don't get a default document in the root 
only when I #1 set the service to log in as a regular user and #2 do NOT 
assign permissions to the apache_user account BELOW the new docroot.  Here are 
steps to reproduce:

--Assume contents of docroot has index.htm and a directory subdir\index.htm.

--Create Apache_User user account on the local machine as a restricted (on 
other words, regular not power) user.

--Set the DocumentRoot (and <Directory ...>) to something like "C:/Documents 
and Settings/gstarrett/My Documents/My Website/Apache8080"

--Set permissions on "C:/Documents and Settings/gstarrett/My Documents/My 
Website/Apache8080" so that Apache_User has full permissions on the Apache8080 
directory.

-->Try to access http://MyServer:8080/ and get "Not found.  The requested 
URL / was not found on this server."  However, if you check for 
http://MyServer:8080/index.htm or http://MyServer:8080/blah/ then it shows 
both those perfectly.

Note that this doesn't show up if you either set Apache back to system account 
OR assign at least read-only permissions to the directory above the docroot.  
I chose the latter.

As a general note, isn't it generally a bad idea to have the service log in as 
system account?  If someone got control of the service, then they would have 
system acct privledges.  I'm fairly new to Apache still so forgive me I missed 
something basic about functioning.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org