httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10547] - 1.3.26 service requires read permission on directory above docroot
Date Mon, 08 Jul 2002 18:24:24 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10547>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10547

1.3.26 service requires read permission on directory above docroot

wrowe@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From wrowe@apache.org  2002-07-08 18:24 -------

  Answers, in any order;

  Yes, the default installs a service as LocalSystem (no network access.)
  Most users should change this, but it's not made sufficently clear.

  Yes, Apache needs rx (list) access to each directory, to the root.  This
  is required to distinguish the paths /pathto~1 from /path_to_apache, or
  even /path_to_ if one were using a non-WinNT network 8.3 filesystem.  We
  cannot permit the user to walk around a fully decorated path's security
  by using an alias, and we need read access [so far] to assure us of the
  resource's full name [using FindFirstFile() against the potential alias.]

  Other API [even NT kernal API] suggestions for working out the fully
  decorated name [without the shell32.dll which isn't a secure solution for
  full path resolution] would be welcome.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message