httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruslan Sivak <rsi...@istandfor.com>
Subject Re: [users@httpd] Apache 2.2.6 weird security issue
Date Tue, 06 Nov 2007 18:50:22 GMT
William A. Rowe, Jr. wrote:
> Ruslan Sivak wrote:
>> I just upgraded from Apache 2.2.0 to 2.2.6 using the binaries from 
>> apachelounge.com.  After I put in the new binaries (keeping my 
>> config), it refused to start up due to a security failure (no futher 
>> information was in the logs).  After running Process Monitor, it 
>> looks like it was failing at the following place:
>
>> Desired Access:    Read Data/List Directory, Execute/Traverse, Read 
>> Desired Access:    Execute/Traverse, Synchronize
>
>> Apache runs under the limited user "apache" and has read only access 
>> to the bin directory.  Why is it trying to CreateFile there?  (after 
>> giving it full access to that directory, things now work, but I would 
>> prefer to not give it access it doesn't need).
>
> Ignore "CreateFile, that means different things.  Apache needs to be able
> to /see/ it's own files, and your permissions don't allow it.  It 
> needs to
> load .dll's - so it needs execute access to the contents of bin/ and 
> /modules
> and traverse/read directory access throughout the filesystem to the 
> program
> and to the files that you will serve.
>
> E.g. your parent directory can't be traverse/no read, because if it can't
> see the attributes or files, it can't decide if you had really intended
> to serve Progra~1/... or Program Files/...
>
>
Actually ignore this post.  What had happened was that I had the proper 
permissions on the folder, but when I dragged the files over from the 
rar archive, I guess it extracted them to the temp folder, and then 
moved them to the current folder, which didn't set the proper 
permissions.  Once I told it to reapply the permissions, setting just 
read/execute on that folder for that user worked.

Russ




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message