You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 1998/06/09 16:08:06 UTC
Re: mod_rewrite/2341: Permissions/Ownership of RewriteLock files prevent child access and thus apache from starting up when they
Ralf S. Engelschall wrote:
>
>
> Any suggestions how we can solve the above PR? The suggested fd passing is not
> an option because flock+fork doesn't work together (the child _has_ to open
> the lockfile itself). So what should we do?
>
> 1. A chown to the uids the child run under (hmmm)
> 2. A chmod to open the lockfile for the world (grrrr)
How about changing the modes so that it's the gid of the child
as well as writable by the child.
> 3. ??
>
> Idea ideas or suggestions?
> Ralf S. Engelschall
> rse@engelschall.com
> www.engelschall.com
>
> In article <19...@hyperreal.org> you wrote:
>
> >>Number: 2341
> >>Category: mod_rewrite
> >>Synopsis: Permissions/Ownership of RewriteLock files prevent child access and thus apache from starting up when they are used.
> >>Confidential: no
> >>Severity: serious
> >>Priority: medium
> >>Responsible: apache
> >>State: open
> >>Class: sw-bug
> >>Submitter-Id: apache
> >>Arrival-Date: Tue Jun 2 10:10:01 PDT 1998
> >>Last-Modified:
> >>Originator: matt@nipltd.com
> >>Organization:
> > apache
> >>Release: 1.3b7
> >>Environment:
> > Linux 2.0.32, gcc 2.7.2
> >>Description:
> > The file specified as the RewriteLock file for the RewriteMap I am using is
> > being created with root as the owner, and -rw--r--r-- as the permissions when
> > I start apache up (presumably by the parent httpd process). The children
> > are then unable to access this, presumably as they have given up root privs.
>
> > The error message I get is:
> > "mod_rewrite: Child could not open RewriteLock file /foo/file.lck"
>
> > If - after the file has been created, and while the errors are being generated -
> > I chmod a+w the file, the children stop complaining and everything works.
> >>How-To-Repeat:
> > Use a rewritelock for a rewrite map program, and have the user the children
> > run as be anything other than the user apache started up as.
> >>Fix:
> > I guess setting the permissions so that anyone can write to the file is not
> > secure. Maybe pass an open file handle to the children? I haven't looked through
> > the code, so I'm only guessing :).
> >>Audit-Trail:
> >>Unformatted:
> > [In order for any reply to be added to the PR database, ]
> > [you need to include <ap...@Apache.Org> in the Cc line ]
> > [and leave the subject line UNCHANGED. This is not done]
> > [automatically because of the potential for mail loops. ]
>
>
--
===========================================================================
Jim Jagielski ||| jim@jaguNET.com ||| http://www.jaguNET.com/
"That's no ordinary rabbit... that's the most foul,
cruel and bad-tempered rodent you ever laid eyes on"