Hi All,
After upgrade Solaris 11.1 to 11.4 with replacement of Apache 2.2 by 2.4, the browser happity shows the directories with filesystem permission 711 owned *not* by webservd
In shell as webservd user, everything works correctly - I can only traverse the directories but not list them
Puzzle... I'm sure apache runs as webservd... Filesystem is native Solaris 11.4 ZFS
On 10/10/2023 02:51, ARZ Lab wrote:
Hi All,
After upgrade Solaris 11.1 to 11.4 with replacement of Apache 2.2 by 2.4, the browser happity shows the directories with filesystem permission 711 owned *not* by webservd
In shell as webservd user, everything works correctly - I can only traverse the directories but not list them
Puzzle... I'm sure apache runs as webservd... Filesystem is native Solaris 11.4 ZFSThis has me intrigued, what are you doing with the browser and how is
your web space set up that it can see such things???
Cheers,
Gary B-)
On Friday, October 13, 2023 at 2:29:10 PM UTC+2, Gary R. Schmidt wrote:
On 10/10/2023 02:51, ARZ Lab wrote:
Hi All,This has me intrigued, what are you doing with the browser and how is
After upgrade Solaris 11.1 to 11.4 with replacement of Apache 2.2 by 2.4, the browser happity shows the directories with filesystem permission 711 owned *not* by webservd
In shell as webservd user, everything works correctly - I can only traverse the directories but not list them
Puzzle... I'm sure apache runs as webservd... Filesystem is native Solaris 11.4 ZFS
your web space set up that it can see such things???
Cheers,
Gary B-)
Hello Gary, I'm intrigued, too! Can't crack it despite 30-years marriage with UNIX ))
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt /var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
Pleeease don't tell me I must use Linux ))
Thanks for reading this, I hope you are having fun, too ))
It's not a joke, honestly!
very strange. Cannot reproduce it on Solaris 11.4 SRU 62, x86-64,
non-global zone. Will try on SRU 42. What I find strange at a first
glance is that you seem to have Apache's config file sitting in
/var/apache2/2.4/conf/httpd.conf
on a "simple and clean demo". AFAIK, the default place of Apache 2.4's
config on Solaris 11.4 should be
/etc/apache2/2.4/...
I don't have a "conf" subdirectory in "/var/apache/2.4" at all.
On Friday, October 13, 2023 at 2:29:10 PM UTC+2, Gary R. Schmidt wrote:
On 10/10/2023 02:51, ARZ Lab wrote:
Hi All,This has me intrigued, what are you doing with the browser and how is
After upgrade Solaris 11.1 to 11.4 with replacement of Apache 2.2 by 2.4, the browser happity shows the directories with filesystem permission 711 owned *not* by webservd
In shell as webservd user, everything works correctly - I can only traverse the directories but not list them
Puzzle... I'm sure apache runs as webservd... Filesystem is native Solaris 11.4 ZFS
your web space set up that it can see such things???
Cheers,
Gary B-)
Hello Gary, I'm intrigued, too! Can't crack it despite 30-years marriage with UNIX ))
It used to work just fine with Apache 2.2 in Solaris 11.1, but changed after upgrade to 11.4 and 2.4...
I made a simple and clean demo, the prod server behaves the same way
root@inet:/# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
3 inet running / solaris shared
root@inet:/# uname -a
SunOS inet 5.11 11.4.42.111.0 i86pc i386 i86pc non-global-zone
I'm running in NGZ, allright
From /var/apache2/2.4/conf/httpd.conf:
User webservd
DocumentRoot "/var/apache2/2.4/htdocs"
oot@inet:/# ps -ef | grep http
webservd 15790 15789 0 Oct 09 ? 0:00 /usr/apache2/2.4/bin/httpd -k start
webservd 15793 15789 0 Oct 09 ? 0:06 /usr/apache2/2.4/bin/httpd -k start
webservd 15809 15789 0 Oct 09 ? 0:27 /usr/apache2/2.4/bin/httpd -k start
webservd 15791 15789 0 Oct 09 ? 0:03 /usr/apache2/2.4/bin/httpd -k start
webservd 15789 1308 0 Oct 09 ? 0:20 /usr/apache2/2.4/bin/httpd -k start
webservd 15792 15789 0 Oct 09 ? 0:02 /usr/apache2/2.4/bin/httpd -k start
webservd 15719 15694 0 16:39:02 pts/10 0:00 grep http
Now watch my fingers!
root@inet:/# find /var/apache2/2.4/htdocs -ls
8200 9 drwx--x--x 4 root root 4 Oct 17 18:24 /var/apache2/2.4/htdocs
8206 9 drwx--x--x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a ##### despite unreadable parent directories...
8207 9 drwxr-xr-x 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b ##### webservd should be able to reach this directory AND read content
8208 9 d--------- 3 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c
8209 9 drwx--x--x 2 root root 3 Oct 9 10:49 /var/apache2/2.4/htdocs/a/b/c/d
8213 5 -rw-r--r-- 1 root root 5 Oct 9 10:16 /var/apache2/2.4/htdocs/a/b/c/d/e.txt ##### but should have no way to reach here!
root@inet:/#
root@inet:/# cat /var/apache2/2.4/htdocs/a/b/c/d/e.txt
haha
Yeah, root can of course
root@inet:/#
root@inet:/# su - webservd
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ id -a
uid=80(webservd) gid=80(webservd) groups=80(webservd)
webservd@inet:~$
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs
/var/apache2/2.4/htdocs: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a
/var/apache2/2.4/htdocs/a: Permission denied
total 17
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b
total 17
d--------- 3 root root 3 Oct 9 10:49 c
All as expected so far...
webservd@inet:~$
webservd@inet:~$ ls -l /var/apache2/2.4/htdocs/a/b/c/d/e.txt /var/apache2/2.4/htdocs/a/b/c/d/e.txt: Permission denied
And this too. But then...
webservd@inet:~$
webservd@inet:~$ curl http://localhost/a/b/c/d/e.txt
haha
webservd@inet:~$
What's going on with Apache? It can read *anything*, just like root! Even though running as webservd... Or isn't?
Pleeease don't tell me I must use Linux ))
Thanks for reading this, I hope you are having fun, too ))
It's not a joke, honestly!
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 02:23:17 |
Calls: | 6,666 |
Calls today: | 4 |
Files: | 12,212 |
Messages: | 5,335,604 |