httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Apache 2.2.6 weird security issue
Date Tue, 06 Nov 2007 17:39:01 GMT
Ruslan Sivak wrote:
> I just upgraded from Apache 2.2.0 to 2.2.6 using the binaries from 
> apachelounge.com.  After I put in the new binaries (keeping my config), 
> it refused to start up due to a security failure (no futher information 
> was in the logs).  After running Process Monitor, it looks like it was 
> failing at the following place:

> Desired Access:    Read Data/List Directory, Execute/Traverse, Read 
> Desired Access:    Execute/Traverse, Synchronize

> Apache runs under the limited user "apache" and has read only access to 
> the bin directory.  Why is it trying to CreateFile there?  (after giving 
> it full access to that directory, things now work, but I would prefer to 
> not give it access it doesn't need).

Ignore "CreateFile, that means different things.  Apache needs to be able
to /see/ it's own files, and your permissions don't allow it.  It needs to
load .dll's - so it needs execute access to the contents of bin/ and /modules
and traverse/read directory access throughout the filesystem to the program
and to the files that you will serve.

E.g. your parent directory can't be traverse/no read, because if it can't
see the attributes or files, it can't decide if you had really intended
to serve Progra~1/... or Program Files/...


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message