httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Re: Bug report for apache_1.3a1
Date Sun, 12 Oct 1997 18:03:29 GMT

Hi,

thanks for the detailed problem descriptions. I'll forward the info
to the developers list for consideration.

cheers
rob
-=-=-=-=--=

On Fri, 10 Oct 1997, Nelson H. F. Beebe wrote:

> Yesterday, we built apache_1.3a1 from the source distribution at
> ftp://ftp.ccs.neu.edu/net/mirrors/ftp.apache.org/apache/dist/, fetched
> the same day from the file
> 
> -rw-rw-r--   1 beebe    staff     811126 Oct  9 16:22 apache_1.3a1.tar.gz
> 
> % md5 apache_1.3a1.tar.gz
> MD5 (apache_1.3a1.tar.gz) = 638fad5c69178d2a92407900547e8732
> 
> The intent was to upgrade from our older NCSA 1.x server to the latest
> Apache server, in order to provide byte serving capability to our
> HTTPD server.
> 
> The build was straightforward our our Sun Solaris 2.5 systems, but I
> had trouble with getting the FollowSymLinks option in the Options line
> of access.conf to work as expected, so I rebuilt the code with
> debugging symbols, and spent some time running httpd with the -X flag
> under dbx.
> 
> (1) In src/Makefile.tmp, the command for building httpd should include
> $(CFLAGS); there are systems for which compiler options, particularly
> options for optimization and debugging, need to be communicated to the
> linker.  I've changed mine like this:
> 
> % rcsdiff Makefile.tmpl 
> ===================================================================
> RCS file: RCS/Makefile.tmpl,v
> retrieving revision 1.1
> diff -r1.1 Makefile.tmpl
> 29c29
> <       $(CC) $(LDFLAGS)  -o httpd $(OBJS) $(REGLIB) $(LIBS)
> ---
> >       $(CC) $(CFLAGS) $(LDFLAGS)  -o httpd $(OBJS) $(REGLIB) $(LIBS)
> 
> (2) In src/http_core.c, in set_options(), the variable action is
> not initialized, but it is tested anyway with the code
> 
> 	if (action == '-')
> 	    d->opts_remove |= opt;
> 	else if (action == '+')
> 	    d->opts_add |= opt;
> 	...
> 
> This can cause an access violation on systems that detect accesses to
> uninitialized memory.  The Sun Solaris debugger with -check all is one
> such example.
> 
> (3) src/http_core.h says:
> 
> #define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
> 
> The documentation in the Apache book from O'Reilly & Associates, Ben
> Laurie and Peter Laurie, ``Apache: The Definitive Guide'', ISBN
> 1-56592-250-6, implies that a line in access.conf of the form
> 
> Options Indexes
> 
> should turn on only the Indexes option.  
> 
> However, a breakpoint in the function
> src/http_request.c:check_symlinks() shows that opts has the value 15,
> which is the value OPT_ALL, and includes the FollowSymLinks option,
> which I was attempting to turn off by the above access.conf file
> setting.
> 
> Further tracing of the control flow in the function
> src/http_core.c:set_options() shows that with modified Options lines
> like these
> 
> Options -All Indexes 
> Options Indexes -FollowSymLinks
> 
> the structure element d->opts_remove gets set to OPT_ALL or
> OPT_SYM_LINKS, respectively.  So far, this is correct.  However, the
> function src/http_core.c:merge_core_dir_configs(), which is the only
> place that the d->opts_remove value is later used, is never called!
> 
> (4) Concluding that the Options handling was seriously broken, I
> therefore rebuilt httpd with a modification to src/http_core.h to
> remove OPT_SYM_LINKS from the definition of OPT_ALL.  This produced a
> message in the browser:
> 	
> 	The requested URL .... was not found on this server.
> 
> arising from an attempt to access my home page, which is otherwise
> perlectly visible to the NCSA server.
> 
> The reason for the access failure is that at our installation, we have
> more than 11,000 accounts, and more 50 disks on which user home
> directories are located.  To handle this complexity, we use the
> automounter to automatically attach home directories at login time,
> which it does with symbolic links.  Thus, with the current
> implementation of src/http_request.c:check_symlinks(), the
> FollowSymLinks option is useless in our installation, and any others
> that use automounter, since all home directories have a symbolic link
> high up in their path.  We are then left with a security hole that
> allows an user to create a symbolic link to anywhere else in the file
> system, such as a password file, and make it available to the entire
> Internet.  This does NOT make me happy!
>  
> It seems to me that the correct way for FollowSymLinks to work is for
> it to apply to the Web tree below ~username/public_html; symlinks
> above that level appear to be harmless, but it should be IMPOSSIBLE,
> when FollowSymLinks is not explicitly set, for symlinks to be followed
> to files outside the ~username/public_html tree.  The same applies to
> the file subdirectory tree implied by http://hostname/; without
> FollowSymLinks, no file in that tree should be able to symlink out of
> the tree.
> 
> ----------------------------------------------------------------------------
> - Nelson H. F. Beebe                  Tel: +1 801 581 5254                 -
> - Center for Scientific Computing     FAX: +1 801 581 4148                 -
> - University of Utah                  Internet e-mail: beebe@math.utah.edu -
> - Department of Mathematics, 105 JWB                   beebe@acm.org       -
> - 155 S 1400 E RM 233                                  beebe@ieee.org      -
> - Salt Lake City, UT 84112-0090, USA  URL: http://www.math.utah.edu/~beebe - 
> ----------------------------------------------------------------------------
> 

--
Rob Hartill                              Internet Movie Database (Ltd)
http://www.moviedatabase.com/   .. a site for sore eyes.


Mime
View raw message