httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Linux: CAP_DAC_OVERRIDE needed - why?
Date Mon, 22 Jul 2013 18:45:56 GMT
thank you - learned another lesson!

Am 22.07.2013 20:37, schrieb William A. Rowe Jr.:
> If it was 770 apache:apache, then root had no access, and root (before processing the
User directive) was 'unable'
> to verify the existence of the child directory without violating the apparent access
control (not traditional
> access control, of course).
> 
> On Mon, Jul 22, 2013 at 1:08 PM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
>     Am 22.07.2013 17:01, schrieb William A. Rowe Jr.:
>     > On Sun, 21 Jul 2013 00:15:45 +0200
>     > Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
>     >>
>     >> but why does httpd need CAP_DAC_OVERRIDE while starting initially as
>     >> root?
>     >>
>     >> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID
>     >> CAP_SETUID Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning:
>     >> DocumentRoot [/mnt/data/www/www] does not exist Jul 21 00:04:01
>     >> srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot
>     >> [/mnt/data/www/private] does not exist
>     >
>     > Could one of the parents /mnt .../data .../www offer no other-traverse
>     > (x) access? If so, these need to be both root and switch-to-user
>     > traversable and perhaps readable
> 
>     *bingo*
> 
>     not that way - some had 770 while owner/group apache:apache
>     so at least questionable why the warning happens anyways
>     but after change to 775 it is gone


Mime
View raw message