Apache requires read permissions for parent directories of configuration files

[Ivan Zhakov <iv...@visualsvn.com>]

Hi,

I encountered the following problem with Apache HTTPD on Windows:
* lets suppose that server root is "C:\ABC\XYZ\root";
* httpd service have all appropriate access permissions
  for the server root;
* but httpd service doesn't have any access permission for
  the parents of the root. E.g. httpd service doesn't have
  access to "C:\ABC" and "C:\ABC\XYZ"
* in this case httpd failed to start with error message "Invalid file
  path C:\ABC\XYZ\root\conf\htpasswd" if AuthUserFile directive used.

We did researched and found that this happens with most Apache
directives, because they use a function ap_server_root_relative (),
which in turn causes apr_filepath_merge () with a flag
APR_FILEPATH_TRUENAME.

This change was introduced in r90571 [1], before r90571
ap_make_full_path() used which does not perform file path resolution
like apr_filepath_merge with flag APR_FILEPATH_TRUENAME does.

We have the following questions:
* what is the reason to use APR_FILEPATH_TRUENAME argument in that place?
* is it possible to remove APR_FILEPATH_TRUENAME argument in the trunk
  of Apache HTTP Server? (see attached patch)

Any comments will be helpful.

[1] http://svn.apache.org/viewvc?view=rev&revision=90571

-- 
Ivan Zhakov
VisualSVN Team

Re: Apache requires read permissions for parent directories of configuration files

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

William A. Rowe, Jr. wrote:
> Ivan Zhakov wrote:
> 
>> * is it possible to remove APR_FILEPATH_TRUENAME argument in the trunk
>>   of Apache HTTP Server? (see attached patch)
> 
> -1, veto for such a change.
> 
> Change this and httpd and even third party modules can ultimately discover
> their configuration file is invalid, leading to security exposures.

FWIW - I'm willing to entertain a change to record each failed true name
resolution lookup in the error log (Failed to resolve true pathname of
C:\ABC, file permissions problem?).  This will become extremely noisy in
the error log very quickly when it happens several times per request, but
I suspect it's better than failure that admins can't explain.

Re: Apache requires read permissions for parent directories of configuration files

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Ivan Zhakov wrote:
> 
> I encountered the following problem with Apache HTTPD on Windows:
> * lets suppose that server root is "C:\ABC\XYZ\root";
> * httpd service have all appropriate access permissions
>   for the server root;
> * but httpd service doesn't have any access permission for
>   the parents of the root. E.g. httpd service doesn't have
>   access to "C:\ABC" and "C:\ABC\XYZ"
> * in this case httpd failed to start with error message "Invalid file
>   path C:\ABC\XYZ\root\conf\htpasswd" if AuthUserFile directive used.
> 
> We did researched and found that this happens with most Apache
> directives, because they use a function ap_server_root_relative (),
> which in turn causes apr_filepath_merge () with a flag
> APR_FILEPATH_TRUENAME.
> 
> This change was introduced in r90571 [1], before r90571
> ap_make_full_path() used which does not perform file path resolution
> like apr_filepath_merge with flag APR_FILEPATH_TRUENAME does.

Yes; this change is by design...

> We have the following questions:
> * what is the reason to use APR_FILEPATH_TRUENAME argument in that place?

How do you suggest that in the httpd.conf that Apache disambiguates C:\ABC
from C:\abc, or worse yet, C:\abacadabara from C:\abacab~1 etc?  Without
resolving the true path elements it's very difficult to do this.  Therefore
the make full path ensures that two file names in two different directives,
or the resolved path and the path given by directive can be authoritatively
compared for equality.

> * is it possible to remove APR_FILEPATH_TRUENAME argument in the trunk
>   of Apache HTTP Server? (see attached patch)

-1, veto for such a change.

Change this and httpd and even third party modules can ultimately discover
their configuration file is invalid, leading to security exposures.