From fhdata at unm.edu Thu Jun 19 23:55:48 2014 From: fhdata at unm.edu (fhdata) Date: Thu, 19 Jun 2014 15:55:48 -0600 Subject: [mpm-itk] in AssignUserID the groupname is being ignored Message-ID: <53A35C64.8080801@unm.edu> hello, apache 2.2.22 MPM-ITK in more testing I found out that somehow the groupname is being ignored: i.e. with correct user and wrong groupname I can access the page! This test involves a simple case with 1 Virtualhost definition in which I have : AssignUserID Thank you for any tips you may have on this..... Am I not seeing something? F- From knut at auvor.no Fri Jun 20 00:10:53 2014 From: knut at auvor.no (Knut Auvor Grythe) Date: Fri, 20 Jun 2014 00:10:53 +0200 Subject: [mpm-itk] in AssignUserID the groupname is being ignored In-Reply-To: <53A35C64.8080801@unm.edu> References: <53A35C64.8080801@unm.edu> Message-ID: <20140619221053.GZ3202@pvv.ntnu.no> On Thu, Jun 19, 2014 at 03:55:48PM -0600, fhdata wrote: > in more testing I found out that somehow the groupname is being > ignored: i.e. with correct user and wrong groupname I can > access the page! I don't understand the problem. First of all, if you're the owner of a file, you do not need to be a member of the group to access it. If you want to test group permissions, you are better off trying with another user who is or isn't a member of the group. Secondly, what do you mean with ?access the page?? I hope you mean access the files, because otherwise you appear to have misunderstood what MPM-ITK is for. Would you mind providing more details about what precicely you are doing? -- Knut Auvor From kh at ipimp.at Fri Jun 20 00:13:07 2014 From: kh at ipimp.at (Kim Henriksen) Date: Fri, 20 Jun 2014 00:13:07 +0200 Subject: [mpm-itk] in AssignUserID the groupname is being ignored In-Reply-To: <53A35C64.8080801@unm.edu> References: <53A35C64.8080801@unm.edu> Message-ID: Who is the owner of the files which Apache is serving and what is the permission ? On Thu, Jun 19, 2014 at 11:55 PM, fhdata wrote: > hello, > > apache 2.2.22 MPM-ITK > > in more testing I found out that somehow the groupname is being > ignored: i.e. with correct user and wrong groupname I can > access the page! > > This test involves a simple case with 1 Virtualhost definition in > which I have : > > AssignUserID > > > > Thank you for any tips you may have on this..... > Am I not seeing something? > > F- > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -- Mvh. Kim Henriksen -------------- next part -------------- An HTML attachment was scrubbed... URL: From fhdata at unm.edu Fri Jun 20 00:52:47 2014 From: fhdata at unm.edu (fhdata) Date: Thu, 19 Jun 2014 16:52:47 -0600 Subject: [mpm-itk] in AssignUserID the groupname is being ignored In-Reply-To: <20140619221053.GZ3202@pvv.ntnu.no> References: <53A35C64.8080801@unm.edu> <20140619221053.GZ3202@pvv.ntnu.no> Message-ID: <53A369BF.3000507@unm.edu> On 2014-06-19 4:10 PM, Knut Auvor Grythe wrote: > On Thu, Jun 19, 2014 at 03:55:48PM -0600, fhdata wrote: >> in more testing I found out that somehow the groupname is being >> ignored: i.e. with correct user and wrong groupname I can >> access the page! > I don't understand the problem. First of all, if you're the owner of a > file, you do not need to be a member of the group to access it. If you > want to test group permissions, you are better off trying with another > user who is or isn't a member of the group. > > Secondly, what do you mean with ?access the page?? I hope you mean > access the files, because otherwise you appear to have misunderstood > what MPM-ITK is for. > > Would you mind providing more details about what precicely you are > doing? > more likely my misunderstanding of ITK :-) here is my test's details; I hope it helps. In an ideal world, some flag somehow should have been raised in my opinion ... webu03 is not a member of bucket webu03 is not a member of sasgrp going to http://beta3.unm.edu I can view index.html 4 -rw------- 1 webu03 bucket 338 Jun 19 16:19 index.html 4 drwx------ 6 webu03 bucket 4096 Jun 13 15:21 beta3.unm.edu/ AssignUserId webu03 sasgrp ServerName beta3.unm.edu DocumentRoot /webu03/Sites/beta3.unm.edu/ Thank you, F- From knut at auvor.no Fri Jun 20 02:23:43 2014 From: knut at auvor.no (Knut Auvor Grythe) Date: Fri, 20 Jun 2014 02:23:43 +0200 Subject: [mpm-itk] in AssignUserID the groupname is being ignored In-Reply-To: <53A369BF.3000507@unm.edu> References: <53A35C64.8080801@unm.edu> <20140619221053.GZ3202@pvv.ntnu.no> <53A369BF.3000507@unm.edu> Message-ID: <20140620002343.GA3202@pvv.ntnu.no> On Thu, Jun 19, 2014 at 04:52:47PM -0600, fhdata wrote: >> Would you mind providing more details about what precicely you are >> doing? > > more likely my misunderstanding of ITK :-) > here is my test's details; I hope it helps. No, it seems you have misunderstood how unix permissions work :-) > In an ideal world, some flag somehow should > have been raised in my opinion ... I'm raising the flag right now. You need to learn more about unix permissions ;-) This has nothing to do with MPM-ITK, and is working as it should. > webu03 is not a member of bucket > webu03 is not a member of sasgrp > > going to http://beta3.unm.edu I can view index.html > > 4 -rw------- 1 webu03 bucket 338 Jun 19 16:19 index.html > 4 drwx------ 6 webu03 bucket 4096 Jun 13 15:21 beta3.unm.edu/ In this scenario, the group of index.html has no effect, since the permissions for ?group? and ?other? are the same. Unix permissions do not require the user to be member of the group owning the file. What your permissions say is literally this: If you're the owner of the file, you can read and write Otherwise, if you're a member of the group, you get no access Otherwise, you get no access Notice the use of ?otherwise?. I suggest you play around a bit with some files in a unix system, without going through a web server. You will find that it behaves the same there. > > AssignUserId webu03 sasgrp > ServerName beta3.unm.edu > DocumentRoot /webu03/Sites/beta3.unm.edu/ > This is a completely valid use-case, and IMHO MPM-ITK should not say anything in this scenario. Consider, for example, that you wanted to give the group ?bucket? read access to the files locally, but wanted the web server to own them. This is, and should be, possible without changing the group memberships of the web server. -- Knut Auvor From fxmulder at gmail.com Mon Jun 23 19:13:22 2014 From: fxmulder at gmail.com (James Devine) Date: Mon, 23 Jun 2014 12:13:22 -0500 Subject: [mpm-itk] unable to check htaccess file Message-ID: I am looking to upgrade machines from ubuntu 12.04 to 14.04. We use mpm-itk to isolate sites by permissions. This worked fine in 12.04 but in 14.04 we are now seeing the error 'pcfg_openfile: unable to check htaccess file' returning a 403 when trying to access any sites. The document root directories are chmod 700 to prevent outside access to them. If I chmod 755 the sites work. They also work if I change the ownership to the www-data user. I pulled the latest 2.4.7 module from the archive link but this didn't seem to fix it. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kh at ipimp.at Mon Jun 23 19:33:23 2014 From: kh at ipimp.at (Kim Henriksen) Date: Mon, 23 Jun 2014 19:33:23 +0200 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: Message-ID: Does the user has read perm to the htaccess file? On Mon, Jun 23, 2014 at 7:13 PM, James Devine wrote: > I am looking to upgrade machines from ubuntu 12.04 to 14.04. We use > mpm-itk to isolate sites by permissions. This worked fine in 12.04 but in > 14.04 we are now seeing the error 'pcfg_openfile: unable to check htaccess > file' returning a 403 when trying to access any sites. > > The document root directories are chmod 700 to prevent outside access to > them. If I chmod 755 the sites work. They also work if I change the > ownership to the www-data user. I pulled the latest 2.4.7 module from the > archive link but this didn't seem to fix it. > > Any ideas? > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > > -- Mvh. Kim Henriksen -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux at danielgibbs.net Mon Jun 23 19:34:29 2014 From: linux at danielgibbs.net (Gibbs) Date: Mon, 23 Jun 2014 18:34:29 +0100 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: Message-ID: <53A86525.10307@danielgibbs.net> On 23/06/14 18:13, James Devine wrote: > > The document root directories are chmod 700 to prevent outside access > to them. If I chmod 755 the sites work. They also work if I change > the ownership to the www-data user. I pulled the latest 2.4.7 module > from the archive link but this didn't seem to fix it. Have you set AssignUserId for each virtual host? It sounds like Apache is running as www-data which it shouldn't if ITK is running correctly for other users. Also check permissions of the users root directory (/home/user/ ) etc. I am using Apache 2.4.7 with Ubuntu 14.04 and my setup is working so far (still migrating). Gibbs (replying to list. I always reply to sender by accident). -------------- next part -------------- An HTML attachment was scrubbed... URL: From fxmulder at gmail.com Mon Jun 23 19:39:51 2014 From: fxmulder at gmail.com (James Devine) Date: Mon, 23 Jun 2014 12:39:51 -0500 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: <53A86525.10307@danielgibbs.net> References: <53A86525.10307@danielgibbs.net> Message-ID: yes AssignUserId #43959 is set in the virtualhost I am using for testing, and if I print posix_getuid() in the php file I am accessing I get 43959 back so it appears to be running as the correct user when accessing the php file. In this case there is no .htaccess file, it is just having problems looking for the .htaccess file because the document root directory is chmod 700. On Mon, Jun 23, 2014 at 12:34 PM, Gibbs wrote: > > On 23/06/14 18:13, James Devine wrote: > > > The document root directories are chmod 700 to prevent outside access to > them. If I chmod 755 the sites work. They also work if I change the > ownership to the www-data user. I pulled the latest 2.4.7 module from the > archive link but this didn't seem to fix it. > > > Have you set AssignUserId for each virtual host? It sounds like Apache is > running as www-data which it shouldn't if ITK is running correctly for > other users. Also check permissions of the users root directory ( > */home/user/* ) etc. > > I am using Apache 2.4.7 with Ubuntu 14.04 and my setup is working so far > (still migrating). > > Gibbs > > (replying to list. I always reply to sender by accident). > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From knut at auvor.no Mon Jun 23 21:43:01 2014 From: knut at auvor.no (Knut Auvor Grythe) Date: Mon, 23 Jun 2014 21:43:01 +0200 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: Message-ID: <20140623194301.GE3202@pvv.ntnu.no> On Mon, Jun 23, 2014 at 12:13:22PM -0500, James Devine wrote: > I am looking to upgrade machines from ubuntu 12.04 to 14.04. We use > mpm-itk to isolate sites by permissions. This worked fine in 12.04 but in > 14.04 we are now seeing the error 'pcfg_openfile: unable to check htaccess > file' returning a 403 when trying to access any sites. > > The document root directories are chmod 700 to prevent outside access to > them. If I chmod 755 the sites work. They also work if I change the > ownership to the www-data user. I pulled the latest 2.4.7 module from the > archive link but this didn't seem to fix it. There was a change a few years ago allowing different uids on a per-directory basis, allowing setups like /~user/ where each users data was running as a separate UID. However, as a side-effect, this requires root to be able to read the .htaccess file. Don't worry, your users can't chuid using htaccess, but due to the order in which apache assembles the configuration it still reads .htaccess before the chuid call. If you're using NFS with root_squash, this means that you'll either need to set your directories +x (no +r necessary), or set AllowOverride none on a parent directory (this will make Apache stop trying to open the .htaccess file, ignoring everything inside). I'm not sure if this is what you're experiencing (the part with www-data fixing it doesn't quite fit the bill), but at least it's a data point. -- Knut Auvor From fxmulder at gmail.com Mon Jun 23 23:01:56 2014 From: fxmulder at gmail.com (James Devine) Date: Mon, 23 Jun 2014 16:01:56 -0500 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: <20140623194301.GE3202@pvv.ntnu.no> References: <20140623194301.GE3202@pvv.ntnu.no> Message-ID: Good call, we run an NFS client attached to the internal NFS server of a gluster setup. I tested with a document root on local disk and it works fine even with 700 perms. Root does seem to have both read and write access to the remote disk though. On Mon, Jun 23, 2014 at 2:43 PM, Knut Auvor Grythe wrote: > On Mon, Jun 23, 2014 at 12:13:22PM -0500, James Devine wrote: > > I am looking to upgrade machines from ubuntu 12.04 to 14.04. We use > > mpm-itk to isolate sites by permissions. This worked fine in 12.04 but > in > > 14.04 we are now seeing the error 'pcfg_openfile: unable to check > htaccess > > file' returning a 403 when trying to access any sites. > > > > The document root directories are chmod 700 to prevent outside access to > > them. If I chmod 755 the sites work. They also work if I change the > > ownership to the www-data user. I pulled the latest 2.4.7 module from > the > > archive link but this didn't seem to fix it. > > There was a change a few years ago allowing different uids on a > per-directory basis, allowing setups like /~user/ where each users data > was running as a separate UID. However, as a side-effect, this requires > root to be able to read the .htaccess file. Don't worry, your users > can't chuid using htaccess, but due to the order in which apache > assembles the configuration it still reads .htaccess before the chuid > call. > > If you're using NFS with root_squash, this means that you'll either need > to set your directories +x (no +r necessary), or set AllowOverride none > on a parent directory (this will make Apache stop trying to open the > .htaccess file, ignoring everything inside). > > I'm not sure if this is what you're experiencing (the part with www-data > fixing it doesn't quite fit the bill), but at least it's a data point. > > -- > Knut Auvor > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fxmulder at gmail.com Tue Jun 24 17:49:11 2014 From: fxmulder at gmail.com (James Devine) Date: Tue, 24 Jun 2014 10:49:11 -0500 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: <20140623194301.GE3202@pvv.ntnu.no> Message-ID: Comparing the old servers to the new one, the old servers running apache 2.2.22 have multiple apache processes running as root, the rest as UIDs of the users they're accessing. The new server running apache 2.4.7 only has 1 apache process running as root, the rest as the www-data user. Does this sound right? The old servers are configured to run as www-data even though no processes are actually running as that. If I change the config in the new server to set User as root it won't start stating I need to recompile with '-DBIG_SECURITY_HOLE' On Mon, Jun 23, 2014 at 4:01 PM, James Devine wrote: > Good call, we run an NFS client attached to the internal NFS server of a > gluster setup. I tested with a document root on local disk and it works > fine even with 700 perms. Root does seem to have both read and write > access to the remote disk though. > > > On Mon, Jun 23, 2014 at 2:43 PM, Knut Auvor Grythe wrote: > >> On Mon, Jun 23, 2014 at 12:13:22PM -0500, James Devine wrote: >> > I am looking to upgrade machines from ubuntu 12.04 to 14.04. We use >> > mpm-itk to isolate sites by permissions. This worked fine in 12.04 but >> in >> > 14.04 we are now seeing the error 'pcfg_openfile: unable to check >> htaccess >> > file' returning a 403 when trying to access any sites. >> > >> > The document root directories are chmod 700 to prevent outside access to >> > them. If I chmod 755 the sites work. They also work if I change the >> > ownership to the www-data user. I pulled the latest 2.4.7 module from >> the >> > archive link but this didn't seem to fix it. >> >> There was a change a few years ago allowing different uids on a >> per-directory basis, allowing setups like /~user/ where each users data >> was running as a separate UID. However, as a side-effect, this requires >> root to be able to read the .htaccess file. Don't worry, your users >> can't chuid using htaccess, but due to the order in which apache >> assembles the configuration it still reads .htaccess before the chuid >> call. >> >> If you're using NFS with root_squash, this means that you'll either need >> to set your directories +x (no +r necessary), or set AllowOverride none >> on a parent directory (this will make Apache stop trying to open the >> .htaccess file, ignoring everything inside). >> >> I'm not sure if this is what you're experiencing (the part with www-data >> fixing it doesn't quite fit the bill), but at least it's a data point. >> >> -- >> Knut Auvor >> >> _______________________________________________ >> mpm-itk mailing list >> mpm-itk at err.no >> http://lists.err.no/mailman/listinfo/mpm-itk >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Tue Jun 24 17:53:46 2014 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 24 Jun 2014 17:53:46 +0200 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: <20140623194301.GE3202@pvv.ntnu.no>

Message-ID: <20140624155346.GA15725@sesse.net> On Tue, Jun 24, 2014 at 10:49:11AM -0500, James Devine wrote: > Comparing the old servers to the new one, the old servers running apache > 2.2.22 have multiple apache processes running as root, the rest as UIDs of > the users they're accessing. The new server running apache 2.4.7 only has > 1 apache process running as root, the rest as the www-data user. Does this > sound right? It's a bit of an illusion. They do have the setuid/setgid capabilities (although those are restricted somewhat by seccomp), so they are in a sense closer to root than www-data, even though the latter is what's displayed. > The old servers are configured to run as www-data even though > no processes are actually running as that. For mpm-itk under Apache 2.2.x, the User/Group setting only means the default uid/gid for when you don't set AssignUserID for a vhost. /* Steinar */ -- Homepage: http://www.sesse.net/ From fxmulder at gmail.com Tue Jun 24 21:41:01 2014 From: fxmulder at gmail.com (James Devine) Date: Tue, 24 Jun 2014 14:41:01 -0500 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: <20140624155346.GA15725@sesse.net> References: <20140623194301.GE3202@pvv.ntnu.no>

<20140624155346.GA15725@sesse.net> Message-ID: Gotcha, well I've traced the error to a call to ap_run_open_htaccess inside apache itself. getuid() returns 33 (www-data) right before this call, on the local filesystem this call returns APR_ENOTDIR and on the remote filesystem it returns APR_EACCES. The document root directory has 700 permissions and is owned by uid 43959 in both cases so I'm not sure how uid 33 would be able to access it locally. I'm guessing something else is going on but this was as far as I was able to trace it, I can't find the definition for ap_run_open_htaccess() anywhere in the source On Tue, Jun 24, 2014 at 10:53 AM, Steinar H. Gunderson < sgunderson at bigfoot.com> wrote: > On Tue, Jun 24, 2014 at 10:49:11AM -0500, James Devine wrote: > > Comparing the old servers to the new one, the old servers running apache > > 2.2.22 have multiple apache processes running as root, the rest as UIDs > of > > the users they're accessing. The new server running apache 2.4.7 only > has > > 1 apache process running as root, the rest as the www-data user. Does > this > > sound right? > > It's a bit of an illusion. They do have the setuid/setgid capabilities > (although those are restricted somewhat by seccomp), so they are in a sense > closer to root than www-data, even though the latter is what's displayed. > > > The old servers are configured to run as www-data even though > > no processes are actually running as that. > > For mpm-itk under Apache 2.2.x, the User/Group setting only means the > default > uid/gid for when you don't set AssignUserID for a vhost. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Tue Jun 24 21:49:07 2014 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 24 Jun 2014 21:49:07 +0200 Subject: [mpm-itk] unable to check htaccess file In-Reply-To: References: <20140623194301.GE3202@pvv.ntnu.no>

<20140624155346.GA15725@sesse.net> Message-ID: <20140624194907.GA1820@sesse.net> On Tue, Jun 24, 2014 at 02:41:01PM -0500, James Devine wrote: > getuid() returns 33 (www-data) right before this call, on > the local filesystem this call returns APR_ENOTDIR and on the remote > filesystem it returns APR_EACCES. The document root directory has 700 > permissions and is owned by uid 43959 in both cases so I'm not sure how uid > 33 would be able to access it locally. Again, it has extra capabilities that getuid wouldn't pick up. In particular, CAP_DAC_READ_SEARCH. I don't know if these would work well over NFS or not, but from what you're saying, probably not. > I'm guessing something else is > going on but this was as far as I was able to trace it, I can't find the > definition for ap_run_open_htaccess() anywhere in the source It's in Apache since 2.4.7, if I recall correctly. /* Steinar */ -- Homepage: http://www.sesse.net/