You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 1998/06/09 16:08:06 UTC

Re: mod_rewrite/2341: Permissions/Ownership of RewriteLock files prevent child access and thus apache from starting up when they

Ralf S. Engelschall wrote:
> 
> 
> Any suggestions how we can solve the above PR? The suggested fd passing is not
> an option because flock+fork doesn't work together (the child _has_ to open
> the lockfile itself). So what should we do? 
> 
> 1. A chown to the uids the child run under (hmmm)
> 2. A chmod to open the lockfile for the world (grrrr)

How about changing the modes so that it's the gid of the child
as well as writable by the child.



> 3. ??
> 
> Idea ideas or suggestions?
>                                        Ralf S. Engelschall
>                                        rse@engelschall.com
>                                        www.engelschall.com
> 
> In article <19...@hyperreal.org> you wrote:
> 
> >>Number:         2341
> >>Category:       mod_rewrite
> >>Synopsis:       Permissions/Ownership of RewriteLock files prevent child access and thus apache from starting up when they are used.
> >>Confidential:   no
> >>Severity:       serious
> >>Priority:       medium
> >>Responsible:    apache
> >>State:          open
> >>Class:          sw-bug
> >>Submitter-Id:   apache
> >>Arrival-Date:   Tue Jun  2 10:10:01 PDT 1998
> >>Last-Modified:
> >>Originator:     matt@nipltd.com
> >>Organization:
> > apache
> >>Release:        1.3b7
> >>Environment:
> > Linux 2.0.32, gcc 2.7.2
> >>Description:
> > The file specified as the RewriteLock file for the RewriteMap I am using is
> > being created with root as the owner, and -rw--r--r-- as the permissions when
> > I start apache up (presumably by the parent httpd process). The children
> > are then unable to access this, presumably as they have given up root privs.
> 
> > The error message I get is:
> > "mod_rewrite: Child could not open RewriteLock file /foo/file.lck"
> 
> > If - after the file has been created, and while the errors are being generated -
> > I chmod a+w the file, the children stop complaining and everything works.
> >>How-To-Repeat:
> > Use a rewritelock for a rewrite map program, and have the user the children
> > run as be anything other than the user apache started up as.
> >>Fix:
> > I guess setting the permissions so that anyone can write to the file is not
> > secure. Maybe pass an open file handle to the children? I haven't looked through
> > the code, so I'm only guessing :).
> >>Audit-Trail:
> >>Unformatted:
> > [In order for any reply to be added to the PR database, ]
> > [you need to include <ap...@Apache.Org> in the Cc line ]
> > [and leave the subject line UNCHANGED.  This is not done]
> > [automatically because of the potential for mail loops. ]
> 
> 


-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"