From richard at unixguru.nl  Wed Jun 24 14:20:16 2009
From: richard at unixguru.nl (Richard Arends)
Date: Wed, 24 Jun 2009 14:20:16 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
Message-ID: <4A421A00.3090602@unixguru.nl>

Hello list,

For a customer I'm building a webserver with the mpm-itk module. The 
data (websites per domain) are stored on a NFS server and the 
root_squash option is used. For security reasons, only the configured 
UID and GID have access (0750) to the webroot(s). This causes problems, 
because several stats and lstats are done by mpm-itk on the webroot and 
.htaccess file, by the root user instead of the configured UID or GID, 
which of course does not work.

After changing the security bits on a webroot, everything works, but 
that is not what the customer wants. Is it possible to do the 
setuid/setgid in a earlier stadium in the module, so that all file and 
directory accesses are done by the configured UID and GID??

-- 
Regards,

Richard.

/* Homo Sapiens non urinat in ventum */




From sgunderson at bigfoot.com  Wed Jun 24 15:46:28 2009
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Wed, 24 Jun 2009 15:46:28 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <4A421A00.3090602@unixguru.nl>
References: <4A421A00.3090602@unixguru.nl>
Message-ID: <20090624134628.GA7939@uio.no>

On Wed, Jun 24, 2009 at 02:20:16PM +0200, Richard Arends wrote:
> After changing the security bits on a webroot, everything works, but 
> that is not what the customer wants. Is it possible to do the 
> setuid/setgid in a earlier stadium in the module, so that all file and 
> directory accesses are done by the configured UID and GID??

mpm-itk used to be more or less like this, but it was changed to allow
AssignUserID in <Location> sections of the configuration file (which among
other things make it stat .htaccess, as you have noticed).

Your best bets are probably either to turn off root squashing (or change the
root-squashed user if possible), make the .htaccess files readable, or revert
to an older, now-unsupported version of mpm-itk and see if that helps you.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From richard at unixguru.nl  Wed Jun 24 16:21:58 2009
From: richard at unixguru.nl (Richard Arends)
Date: Wed, 24 Jun 2009 16:21:58 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <20090624134628.GA7939@uio.no>
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
Message-ID: <4A423686.6030709@unixguru.nl>

Steinar H. Gunderson wrote:

Steinar,

> mpm-itk used to be more or less like this, but it was changed to allow
> AssignUserID in <Location> sections of the configuration file (which among
> other things make it stat .htaccess, as you have noticed).
>
> Your best bets are probably either to turn off root squashing (or change the
> root-squashed user if possible)
>   
That's (of course) not an option for my customer.
> , make the .htaccess files readable
The document root isn't readable by root, so changing the permission 
bits on the .htaccess file does not change anything.

> , or revert to an older, now-unsupported version of mpm-itk and see if that helps you.
>   
This could be an option, but the unsupported part could be a problem in 
the (near) future. If mpm-itk can not be changed back to the previous 
method, we (my customer and I) should look for a similar working module, 
if there is any :(


-- 
Regards,

Richard.

/* Homo Sapiens non urinat in ventum */




From sgunderson at bigfoot.com  Wed Jun 24 16:35:24 2009
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Wed, 24 Jun 2009 16:35:24 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <4A423686.6030709@unixguru.nl>
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl>
Message-ID: <20090624143524.GA8616@uio.no>

On Wed, Jun 24, 2009 at 04:21:58PM +0200, Richard Arends wrote:
>> Your best bets are probably either to turn off root squashing (or change the
>> root-squashed user if possible)
> That's (of course) not an option for my customer.

Why? Is there a particular reason?

>> , make the .htaccess files readable
> The document root isn't readable by root, so changing the permission 
> bits on the .htaccess file does not change anything.

No, but you could always set the directory as o+x -- that means you could get
inside it, but not ls.

> This could be an option, but the unsupported part could be a problem in 
> the (near) future. If mpm-itk can not be changed back to the previous 
> method, we (my customer and I) should look for a similar working module, 
> if there is any :(

There are several variants -- mpm-perchild and mpm-peruser are the
most popular variants, I think, but you also have suexec/suphp and Metux.
You could also of course stop using htaccess files, which may or may not fix
the problem.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From richard at unixguru.nl  Thu Jun 25 06:31:55 2009
From: richard at unixguru.nl (Richard Arends)
Date: Thu, 25 Jun 2009 06:31:55 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <20090624143524.GA8616@uio.no>
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl> <20090624143524.GA8616@uio.no>
Message-ID: <4A42FDBB.3020400@unixguru.nl>

Steinar H. Gunderson wrote:

Steinar,

> Why? Is there a particular reason?
>   

Yes, security reasons. They don't want that a root user on a system can 
access the data as root user.

>
> No, but you could always set the directory as o+x -- that means you could get
> inside it, but not ls.
>   
I tried the +x but it did not work, +r is needed.
> There are several variants -- mpm-perchild and mpm-peruser are the
> most popular variants, I think, but you also have suexec/suphp and Metux.
> You could also of course stop using htaccess files, which may or may not fix
> the problem.
>   
The .htaccess files are not the problem. The real problem is that 
mpm-itk 'stats' the documentroot as root user. Thanks for the pointers, 
i'm going to have a look at those other 2 modules.

-- 
Regards,

Richard.

/* Homo Sapiens non urinat in ventum */

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20090625/ad14a59b/attachment.htm>

From sgunderson at bigfoot.com  Thu Jun 25 12:38:46 2009
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Thu, 25 Jun 2009 12:38:46 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <4A42FDBB.3020400@unixguru.nl>
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl> <20090624143524.GA8616@uio.no>
	<4A42FDBB.3020400@unixguru.nl>
Message-ID: <20090625103846.GA21354@uio.no>

On Thu, Jun 25, 2009 at 06:31:55AM +0200, Richard Arends wrote:
>> Why? Is there a particular reason?
> Yes, security reasons. They don't want that a root user on a system
> can access the data as root user.

For all practical purposes, they can anyway, since they can setuid to any
user and access the files as them.

Of course, if you have data only root can read on the volume, it's different,
but in that case you may not want to export that volume over NFS anyway.
(Same goes for suid, which only the root user can set -- any volume that is
exported over NFS should usually be mounted with nosuid everywhere.) I'm not
saying root-squashing is useless, but the extra security it buys in practice
is pretty slim.

>> There are several variants -- mpm-perchild and mpm-peruser are the
>> most popular variants, I think, but you also have suexec/suphp and Metux.
>> You could also of course stop using htaccess files, which may or may not fix
>> the problem.
> The .htaccess files are not the problem. The real problem is that
> mpm-itk 'stats' the documentroot as root user. Thanks for the
> pointers, i'm going to have a look at those other 2 modules.

Hm, Apache actually stats the document root itself? I wonder what it needs
that for...

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From jani+mpm-itk at ifi.uio.no  Thu Jun 25 15:47:25 2009
From: jani+mpm-itk at ifi.uio.no (Jan Ingvoldstad)
Date: Thu, 25 Jun 2009 15:47:25 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <20090625103846.GA21354@uio.no> (Steinar H. Gunderson's message
	of "Thu\, 25 Jun 2009 12\:38\:46 +0200")
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl> <20090624143524.GA8616@uio.no>
	<4A42FDBB.3020400@unixguru.nl> <20090625103846.GA21354@uio.no>
Message-ID: <oasws70whle.fsf@luke.ifi.uio.no>

On Thu, 25 Jun 2009 12:38:46 +0200, "Steinar H. Gunderson" <sgunderson at bigfoot.com> said:

> Hm, Apache actually stats the document root itself? I wonder what it needs
> that for...

It doesn't really need it, it's just there to annoy people with
networked file systems or huge amounts of virtualhosts.

--- httpd-2.0.63p/server/core.c 2006-07-12 09:40:55.000000000 +0200
+++ httpd-2.0.63pc/server/core.c        2008-03-04 17:48:22.587707408
+0100
@@ -1128,8 +1128,9 @@
     /* TODO: ap_configtestonly && ap_docrootcheck && */
     /* XXX Shouldn't this be relative to ServerRoot ??? */
     if (apr_filepath_merge((char**)&conf->ap_document_root, NULL,
     arg,
-                           APR_FILEPATH_TRUENAME, cmd->pool) !=
APR_SUCCESS
-        || !ap_is_directory(cmd->pool, arg)) {
+                           APR_FILEPATH_TRUENAME, cmd->pool) !=
APR_SUCCESS) {
+/* Domeneshop 2008-03-04 - avoid NFS overload */
+/*        || !ap_is_directory(cmd->pool, arg)) { */
         if (cmd->server->is_virtual) {
             ap_log_perror(APLOG_MARK, APLOG_STARTUP, 0,
                           cmd->pool,

-- 
brukergrensesnitt n1
1. skille som avskj?rer brukeren fra ? bruke en gjenstand, ofte en datamaskin.
2. fastsatt og uforanderlig bilde av hvordan en datamaskin kreves brukt.
3. uspiselig abstraksjon over menneskers utilstrekkelighet.



From sgunderson at bigfoot.com  Thu Jun 25 15:55:04 2009
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Thu, 25 Jun 2009 15:55:04 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <oasws70whle.fsf@luke.ifi.uio.no>
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl> <20090624143524.GA8616@uio.no>
	<4A42FDBB.3020400@unixguru.nl> <20090625103846.GA21354@uio.no>
	<oasws70whle.fsf@luke.ifi.uio.no>
Message-ID: <20090625135504.GA23533@uio.no>

On Thu, Jun 25, 2009 at 03:47:25PM +0200, Jan Ingvoldstad wrote:
>> Hm, Apache actually stats the document root itself? I wonder what it needs
>> that for...
> It doesn't really need it, it's just there to annoy people with
> networked file systems or huge amounts of virtualhosts.

Very sympathetic...

Perhaps ap_is_directory() should be able to return true/false/error, which
would at least solve the permission problem, although not your NFS overload
problems.

I'm a bit confused, though -- the code in question seems to emit a warning
only for vhosts, it shouldn't be a critical error.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



From jani+mpm-itk at ifi.uio.no  Thu Jun 25 23:09:26 2009
From: jani+mpm-itk at ifi.uio.no (Jan Ingvoldstad)
Date: Thu, 25 Jun 2009 23:09:26 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <20090625135504.GA23533@uio.no> (Steinar H. Gunderson's message
	of "Thu\, 25 Jun 2009 15\:55\:04 +0200")
References: <4A421A00.3090602@unixguru.nl> <20090624134628.GA7939@uio.no>
	<4A423686.6030709@unixguru.nl> <20090624143524.GA8616@uio.no>
	<4A42FDBB.3020400@unixguru.nl> <20090625103846.GA21354@uio.no>
	<oasws70whle.fsf@luke.ifi.uio.no> <20090625135504.GA23533@uio.no>
Message-ID: <oasskhovx4p.fsf@luke.ifi.uio.no>

On Thu, 25 Jun 2009 15:55:04 +0200, "Steinar H. Gunderson" <sgunderson at bigfoot.com> said:

> I'm a bit confused, though -- the code in question seems to emit a warning
> only for vhosts, it shouldn't be a critical error.

Hmm, maybe I confused the issue when posting that patch now.  Anyway,
searching for ap_is_directory() in the source should be helpful; that
piece of code performs a lovely stat call, which perhaps can be
patched away with great success.

-- 
brukergrensesnitt n1
1. skille som avskj?rer brukeren fra ? bruke en gjenstand, ofte en datamaskin.
2. fastsatt og uforanderlig bilde av hvordan en datamaskin kreves brukt.
3. uspiselig abstraksjon over menneskers utilstrekkelighet.



From richard at unixguru.nl  Fri Jun 26 08:11:43 2009
From: richard at unixguru.nl (Richard Arends)
Date: Fri, 26 Jun 2009 08:11:43 +0200
Subject: [mpm-itk] setuid and NFS (root_squash)
In-Reply-To: <oasskhovx4p.fsf@luke.ifi.uio.no>
References: <4A421A00.3090602@unixguru.nl>
	<20090624134628.GA7939@uio.no>	<4A423686.6030709@unixguru.nl>
	<20090624143524.GA8616@uio.no>	<4A42FDBB.3020400@unixguru.nl>
	<20090625103846.GA21354@uio.no>	<oasws70whle.fsf@luke.ifi.uio.no>
	<20090625135504.GA23533@uio.no> <oasskhovx4p.fsf@luke.ifi.uio.no>
Message-ID: <4A44669F.6070601@unixguru.nl>

Jan Ingvoldstad wrote:
> Hmm, maybe I confused the issue when posting that patch now.  Anyway,
> searching for ap_is_directory() in the source should be helpful; that
> piece of code performs a lovely stat call, which perhaps can be
> patched away with great success.
>   
I did some 'research' and Steinar had it right, the message from Apache 
about the documentroot is a warning only. In the meantime I rebuild 
Apache with the peruser module and that does exactly what my customer want.

Thanks for the help!

-- 
Regards,

Richard.

/* Homo Sapiens non urinat in ventum */