/var/lock/apache2 has wrong owner and group for webdav
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Debian) |
Fix Released
|
Unknown
|
|||
apache2 (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Feisty |
Fix Released
|
Low
|
Mathias Gug |
Bug Description
Binary package hint: apache2.2-common
I'm running apache2.2 (package apache2.2-common 2.2.3-3.2build1) as a webdav server on feisty (amd64).
According to the apache documentation, http://
The lock database is by default set to
DAVLockDB /var/lock/
in
/etc/apache2/
$ mount | grep lock
varlock on /var/lock type tmpfs (rw,noexec,
This is am ramdisk, right? So /var/lock/apache2 is created at every time the machine boots by /etc/init.
line 97: [ -d /var/lock/apache2 ] || mkdir -p /var/lock/apache2
This ownership prevents apache from accessing the lock database, write access to the dav enabled folders is impossible.
I have changed the line above in /etc/init.d/apache2 to
97: [ -d /var/lock/apache2 ] || { mkdir -p /var/lock/apache2; chown www-data:www-data /var/lock/apache2; }
Is it a good idea to fix it like this?
Thanks, Christian
TESTCASE:
Setup:
1.Install apache2:
sudo apt-get install apache2
2.Enable dav_fs:
sudo a2enmod dav_fs
3.Setup dav in default configuration (/etc/apache2/
Add the following configuration just before </VirtualHost>
<Location />
DAV On
</Location>
4. Reboot the machine:
sudo reboot
Test:
Using the cadaver web dav client on the command line:
$ cadaver http://
dav:/apache2-
Locking `index.html': failed:
500 Internal Server Error
Expected result:
$ cadaver http://
dav:/apache2-
Locking `index.html': succeeded.
When testing the updated package, make sure to reboot the machine before testing.
description: | updated |
description: | updated |
Changed in apache2: | |
status: | Unknown → Fix Released |
Changed in apache2: | |
assignee: | nobody → mathiaz |
status: | New → Incomplete |
Changed in apache2: | |
status: | Fix Released → Fix Committed |
description: | updated |
Christian Riesch wrote:
> Is it a good idea to fix it like this?
Without looking at the code - *no*. This will enable exploit in web
application to corrupt locking mechanism. For the same reason, web pages
aren't owned by www-data.
I'll take a look at this...