/var/lock/apache2 has wrong owner and group for webdav

Bug #129920 reported by Christian Riesch on 2007-08-02
14
Affects Status Importance Assigned to Milestone
apache2 (Debian)
Fix Released
Unknown
apache2 (Ubuntu)
Low
Unassigned
Feisty
Low
Mathias Gug

Bug Description

Binary package hint: apache2.2-common

I'm running apache2.2 (package apache2.2-common 2.2.3-3.2build1) as a webdav server on feisty (amd64).

According to the apache documentation, http://httpd.apache.org/docs/2.2/mod/mod_dav_fs.html, the directory containing the lock database must be readable and writable for the user and group under which apache is running, i.e. www-data.

The lock database is by default set to
DAVLockDB /var/lock/apache2/DAVLock
in
/etc/apache2/mods-available/dav_fs.conf

$ mount | grep lock
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)

This is am ramdisk, right? So /var/lock/apache2 is created at every time the machine boots by /etc/init.d/apache2, the owner and group are set to root.
line 97: [ -d /var/lock/apache2 ] || mkdir -p /var/lock/apache2

This ownership prevents apache from accessing the lock database, write access to the dav enabled folders is impossible.

I have changed the line above in /etc/init.d/apache2 to
97: [ -d /var/lock/apache2 ] || { mkdir -p /var/lock/apache2; chown www-data:www-data /var/lock/apache2; }

Is it a good idea to fix it like this?

Thanks, Christian

TESTCASE:

Setup:
  1.Install apache2:
        sudo apt-get install apache2

  2.Enable dav_fs:
        sudo a2enmod dav_fs

  3.Setup dav in default configuration (/etc/apache2/sites-enabled/000-default):
    Add the following configuration just before </VirtualHost>

<Location />
        DAV On
</Location>

  4. Reboot the machine:
       sudo reboot

Test:
Using the cadaver web dav client on the command line:

$ cadaver http://localhost/apache2-default/
dav:/apache2-default/> lock index.html
Locking `index.html': failed:
500 Internal Server Error

Expected result:
$ cadaver http://localhost/apache2-default/
dav:/apache2-default/> lock index.html
Locking `index.html': succeeded.

When testing the updated package, make sure to reboot the machine before testing.

description: updated
description: updated

Christian Riesch wrote:

> Is it a good idea to fix it like this?

Without looking at the code - *no*. This will enable exploit in web
application to corrupt locking mechanism. For the same reason, web pages
aren't owned by www-data.

I'll take a look at this...

I have just found this bug already reported for debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=420101

They also fix it by changing ownership in /etc/init.d/apache2.

Christian

Mathias Gug (mathiaz) wrote :

I've attached a debdiff that fixes the problem for feisty.

The bug has also been fixed in the latest development version of Ubuntu - the Gutsy Gibbon.

Changed in apache2:
importance: Undecided → Low
status: New → In Progress
Martin Pitt (pitti) wrote :

Mathias, is this already fixed in gutsy? If so, please close the task, if not, please get it fixed.

The feisty patch looks good, it just has the wrong version number: Since it introduces source changes, it needs to be 2.2.3-3.2ubuntu1, and you need to do the Maintainer:/XSBC-Original-Maintainer: dance.

Changed in apache2:
status: Unknown → Fix Released
Martin Pitt (pitti) on 2007-08-03
Changed in apache2:
assignee: nobody → mathiaz
status: New → Incomplete
Mathias Gug (mathiaz) wrote :

I've attached a new debdiff that fixes the issues raised above.

Mathias Gug (mathiaz) wrote :

I am also closing the bug because the bug has been fixed in the latest development version of Ubuntu - the Gutsy Gibbon.

Changed in apache2:
status: In Progress → Fix Released
status: Incomplete → In Progress
importance: Undecided → Low
Martin Pitt (pitti) wrote :

Sponsored upload and accepted into feisty-proposed. Please go ahead with QA testing.

Changed in apache2:
status: In Progress → Fix Committed
Mathias Gug (mathiaz) wrote :

apache2 (2.2.3-3.2ubuntu1) feisty-proposed; urgency=low

  * debian/apache2.2-common.init.d: make sure that /var/lock/apache2 is owned
    by www-data. Fixes LP: #129920.
  * debian/control: Set Maintainer to Ubuntu Core Dev and move Debian
    maintainer to XSBC-Original-Maintainer.

 -- Mathias Gug <email address hidden> Fri, 3 Aug 2007 10:03:57 -0400

Changed in apache2:
status: Fix Committed → Fix Released
Martin Pitt (pitti) on 2007-08-03
Changed in apache2:
status: Fix Released → Fix Committed
Martin Pitt (pitti) wrote :

This has been in -proposed for three months now. Christian, Mathias, please make sure to get this verified. If it is not interesting any more, I will remove it from -proposed. Thank you!

Mathias Gug (mathiaz) on 2007-11-19
description: updated

Test completed successfully.

On a Feisty Fawn installation:

With apache2 version 2.2.3-3.2ubuntu0.1, using the cadaver web dav client on the command line, 'lock index.html' fails
with apache2 version 2.2.3-3.2ubuntu1, using the cadaver web dav client on the command line, 'lock index.html' succeeds

Martin Pitt (pitti) wrote :

Mathias, sorry, I noticed too late that I cannot move this to -updates: You need to redo the upload and incorporate the security fix in 2.2.3-3.2ubuntu0.1. I can sponsor the upload if necessary.

I removed the current package from -proposed.

Changed in apache2:
status: Fix Committed → In Progress
Mathias Gug (mathiaz) wrote :

I've attached a new debdiff based on the latest security update.

Martin Pitt (pitti) wrote :

Mathias, thanks. I fixed the version number (must be bigger than current -proposed), uploaded, and accepted into feisty-proposed. QA team, please test this again. Thank you!

Changed in apache2:
status: In Progress → Fix Committed
Pedro Villavicencio (pedro) wrote :

Verification completed, with apache2 version 2.2.3-3.2ubuntu2 the "lock index.html" command using the cadaver client works as expected (succeeds), thanks.

Martin Pitt (pitti) wrote :

Copied to feisty-updates, thank you. Waiving the 7-days aging period since this has already been sitting in -proposed for months before.

Changed in apache2:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.