Apache Web DAV incorrect permissions

Bug #540747 reported by Roy Liu on 2010-03-18
66
This bug affects 10 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
Medium
James M. Leddy
Lucid
Medium
Unassigned
apache2 (Ubuntu)
Medium
Unassigned
Lucid
Medium
Chuck Short

Bug Description

SRU information:
================

[Impact]
This bug stems from web dav modifying files to have permissions 600 instead of the standard 644. When this happens , it is impossible for Apache to then go serve out the pages. This basically makes the webdav unusable and makes a nasty crond chmod script necessary.

[Development Fix]
First fixed upstream, then brought down as part of apache 2.2.15-3

[Stable Fix]
see attached '99-fix-mod-dav-permissions.dpatch'

[Test Case]
1) Download the original archive from http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14.orig.tar.gz and build with "./configure --enable-dav-fs=shared --enable-dav-lock=shared --enable-dav=shared".
This should result in a mod_dav_fs.so library in modules/dav/fs/.libs. Place such a shared library in /usr/lib/apache/modules as a replacement for the one already there.
2) Set up a DAV location like so:
 <IfModule dav_fs_module>

    <Location "/test">

        DAV on

    </Location>

</IfModule>
3) Use "cadaver" to connect to your server and PUT a file in location "test". The idea is that the permissions come out as 0600 for the standard Lucid installation and 0644 for the vanilla Apache module.

[Regression Potential]
Low. This has patch has already been applied upstream and is in use by however many 10.10, 11.04, and 11.10 users. The compiled LTS pachage has also tested by someone that is experiencing the original problem.

================
Original report:
================

Binary package hint: apache2

I am a Git pull/push through Apache https user, and I also use the file-based protocol. Recently I noticed that the Git repository was filled with objects of permission -rw------ belonging to www-data, the Apache server username. After further digging, this is not Git's problem, but possibly mod_dav_fs's. In fact, any file transferred with a DAV "PUT" command results in said 0600 permissions.

Although this is arguably a feature of Ubuntu, I found that the behavior differs from a standard Apache server. To reproduce:
1) Download the original archive from http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14.orig.tar.gz and build with "./configure --enable-dav-fs=shared --enable-dav-lock=shared --enable-dav=shared".
This should result in a mod_dav_fs.so library in modules/dav/fs/.libs. Place such a shared library in /usr/lib/apache/modules as a replacement for the one already there.
2) Set up a DAV location like so:
 <IfModule dav_fs_module>

    <Location "/test">

        DAV on

    </Location>

</IfModule>
3) Use "cadaver" to connect to your server and PUT a file in location "test". The idea is that the permissions come out as 0600 for the standard Lucid installation and 0644 for the vanilla Apache module.

Further evidence supporting the idea that the problem arises from Ubuntu packaging is the rather extensive modifications to mod_dav_fs code in the diff found at http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14-5ubuntu3.diff.gz.

Thank you for your attention!
-Roy

Chuck Short (zulcss) wrote :

This is probably due to the one of the mod_dav patches that has been backported from svn tree. if you try the latest available version of apache you will probably get the same results. If you can verify that it is, otherwise its a bug that we have.

Regards
chuck

Changed in apache2 (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium

Chuck,

What version is Lucid's apache2.2-bin a backport of? I just tried with the
last 2.2.15 version and the permissions are 644 rather than Ubuntu's 600. I
did this by way of replacing mod_dav_fs.so as described below.

Thanks,
Roy

On Fri, Mar 19, 2010 at 6:30 AM, Chuck Short <email address hidden>wrote:

> This is probably due to the one of the mod_dav patches that has been
> backported from svn tree. if you try the latest available version of
> apache you will probably get the same results. If you can verify that it
> is, otherwise its a bug that we have.
>
> Regards
> chuck
>
> ** Changed in: apache2 (Ubuntu)
> Status: New => Incomplete
>
> ** Changed in: apache2 (Ubuntu)
> Importance: Undecided => Medium
>
> --
> Apache Web DAV incorrect permissions
> https://bugs.launchpad.net/bugs/540747
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apache2” package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: apache2
>
> I am a Git pull/push through Apache https user, and I also use the
> file-based protocol. Recently I noticed that the Git repository was filled
> with objects of permission -rw------ belonging to www-data, the Apache
> server username. After further digging, this is not Git's problem, but
> possibly mod_dav_fs's. In fact, any file transferred with a DAV "PUT"
> command results in said 0600 permissions.
>
> Although this is arguably a feature of Ubuntu, I found that the behavior
> differs from a standard Apache server. To reproduce:
> 1) Download the original archive from
> http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14.orig.tar.gzand build with "./configure --enable-dav-fs=shared --enable-dav-lock=shared
> --enable-dav=shared".
> This should result in a mod_dav_fs.so library in modules/dav/fs/.libs.
> Place such a shared library in /usr/lib/apache/modules as a replacement for
> the one already there.
> 2) Set up a DAV location like so:
> <IfModule dav_fs_module>
>
> <Location "/test">
>
> DAV on
>
> </Location>
>
> </IfModule>
> 3) Use "cadaver" to connect to your server and PUT a file in location
> "test". The idea is that the permissions come out as 0600 for the standard
> Lucid installation and 0644 for the vanilla Apache module.
>
> Further evidence supporting the idea that the problem arises from Ubuntu
> packaging is the rather extensive modifications to mod_dav_fs code in the
> diff found at
> http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14-5ubuntu3.diff.gz
> .
>
> Thank you for your attention!
> -Roy
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/540747/+subscribe
>

Stefan Fritsch (sf-sfritsch) wrote :

The patch is a backport from upstream trunk (2.3.x).

The correct fix would be to use apr_file_open() with APR_OS_DEFAULT permissions instead of apr_file_mktemp() to create the temp file. Unfortunately, I don't think I will have time to fix it in the next week or so.

Roy Liu (royliu) wrote :

Do you think that this could be considered a bug?

Chuck Short (zulcss) on 2010-03-29
Changed in apache2 (Ubuntu):
status: Incomplete → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu4

---------------
apache2 (2.2.14-5ubuntu4) lucid; urgency=low

  * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when
    downloading files from webdav (LP: #540747)
  * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381)
 -- Chuck Short <email address hidden> Mon, 29 Mar 2010 13:37:39 -0400

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released
Roy Liu (royliu) wrote :

It seems that the fix broke mod_dav_fs altogether:

apache2: Syntax error on line 203 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/dav_fs.load: Cannot load /usr/lib/apache2/modules/mod_dav_fs.so into server: /usr/lib/apache2/modules/mod_dav_fs.so: undefined symbol: dav_file_mktemp
   ...fail!

Mathias Gug (mathiaz) wrote :

On Mon, Mar 29, 2010 at 08:13:15PM -0000, Roy Liu wrote:
> It seems that the fix broke mod_dav_fs altogether:
>
> apache2: Syntax error on line 203 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/dav_fs.load: Cannot load /usr/lib/apache2/modules/mod_dav_fs.so into server: /usr/lib/apache2/modules/mod_dav_fs.so: undefined symbol: dav_file_mktemp
> ...fail!
>

Please open a new bug.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Roy Liu (royliu) on 2010-04-07
Changed in apache2 (Ubuntu):
status: Fix Released → Confirmed
status: Confirmed → Fix Released
Roy Liu (royliu) wrote :

Hi, I noticed that the same bug is occurring again. Did the patch got taken out of a newer release?

Andreas Olsson (andol) wrote :

Yes, it was reverted in apache2 2.2.14-5ubuntu5

apache2 (2.2.14-5ubuntu5) lucid; urgency=low

  * Revert 99-fix-mod-dav-permissions.dpatch

 -- Chuck Short <email address hidden> Tue, 30 Mar 2010 07:55:46 -0400

Changed in apache2 (Ubuntu):
status: Fix Released → Confirmed
Launchpad Janitor (janitor) wrote :
Download full text (5.9 KiB)

This bug was fixed in the package apache2 - 2.2.15-5ubuntu1

---------------
apache2 (2.2.15-5ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree.
    - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381)
    + Dropped:
      - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed.
      - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed.
      - debian/config-dir/apache2.conf: Merged back from debian.
      - mod-reqtimeout functionality: Merge back from debian.
      - debian/patches/204_CVE-2010-0408.dpatch: No longer needed.
      - debian/patches/205_CVE-2010-0434.dpatch: No longer needed.
      - debian/patches/203_fix-ab-segfault.dpatch: No longer needed.

apache2 (2.2.15-5) unstable; urgency=low

  * Conflict with apache package as we now include apachectl. Closes: #579065
  * Remove conflicts with old apache 2.0 modules. The conflicts are not
    necessary anymore as skipping a stable release is not supported anyway.
  * Silence the grep in preinst.

apache2 (2.2.15-4) unstable; urgency=low

  * Move definition of other_vhosts_access.log to new config file
    /etc/apache2/conf.d/other-vhosts-access-log, but disable it
    if it has been disabled by the admin. Closes: #576572. LP: #507616
  * Comment out the contents of mods-available/proxy.conf, as it just
    is a nuisance for use of apache2 as a reverse proxy, which is much
    more common than the use as forward proxy. Extend the comments
    in the file.
  * Change defaults or add example configs for some modules:
    status.conf:
      - enable ExtendedStatus by default
      - enable ProxyStatus by default
      - document SeeRequestTail directive
    proxy_ftp.conf:
      - set 'ProxyFtpDirCharset UTF-8' by default
    ldap.conf:
      - enable /ldap-status page, allow it from localhost by default
    proxy_balancer.conf:
      - add (disabled) example for /balancer-manager page
    ssl.conf:
      - document SSLStrictSNIVHostCheck directive
  * Add symlink from apachectl to apache2ctl to be more compatible with
    upstream. Apache httpd 1.3 hasn't been in Debian for some time.
  * Simplify logrotate script. Closes: #576105
  * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages.
    Closes: #576089
  * Fix apxs2 to work with perl 5.12rc3. Closes: #577239
  * Add source/format file to make lintian happy.

apache2 (2.2.15-3) unstable; urgency=low

  * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
    including a fix for mod_proxy CONNECT requests.
  * mod_dav_fs: Use correct permissions when creating new files. LP: #540747

apache2 (2.2.15-2) unstable; urgency=low

  * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
    Satisfy all. Closes: #572075
  * mod_reqtimeout: Various bug fixes, including:
    - Don't mess up timeouts of mod_proxy's backend connections.
      Closes: #573163

apache2 (2.2.15-1) unstable; urgency=low

  * New upstream ...

Read more...

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released

Will this be fixed in the lucid package too? It's LTS so there will be some people staying with it for some time!

Joe Kislo (joe-k12s) wrote :

Agreed. This needs to be on lucid LTS because this basically cripples webDAV... and webDAV is typically something you use in a server environment which is more likely to be running the LTS. I can tell you we're basically SOL on an upgrade from hardy on several servers because of this. We tried running a cronjob every 5 minutes to fix all of the permissions, but it doesn't work well enough to push to production.

Please release the fix for Lucid LTS too.

Changed in apache2 (Ubuntu):
status: Fix Released → Confirmed
Andreas Olsson (andol) wrote :

Florian: The default status describes the most recent version of Ubuntu, including the development version. As long as it is not broken in Natty, the current status should be Fix Released. It looks like Joe has nominated it for a Lucid as well, and if it gets accepted there will be a separate Lucid status line.

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released

Seems that only three people in the world use webdav on lucid ..
Will it ever be fixed in lucid repositories?

Alexander Fedorov (vester) wrote :

4 =)

I updated my server to hardy is lucid and also discovered this bug

Alexander Fedorov (vester) wrote :

user@server:~$ dpkg --list | grep apache2
ii apache2 2.2.14-5ubuntu8.4 Apache HTTP Server metapackage
ii apache2-mpm-prefork 2.2.14-5ubuntu8.4 Apache HTTP Server - traditional non-threade
ii apache2-prefork-dev 2.2.14-5ubuntu8.4 Apache development headers - non-threaded MP
ii apache2-utils 2.2.14-5ubuntu8.4 utility programs for webservers
ii apache2.2-bin 2.2.14-5ubuntu8.4 Apache HTTP Server common binary files
ii apache2.2-common 2.2.14-5ubuntu8.4 Apache HTTP Server common files
ii libapache2-mod-php5 5.3.2-1ubuntu4.5 server-side, HTML-embedded scripting languag
ii libapache2-mod-python 3.3.1-8ubuntu2 Python-embedding module for Apache 2

adriankoooo (adriankoooo) wrote :

Hi all,

unfortunatelly it is still wrong in apache2 2.2.14-5ubuntu8.4

My fix to this issue:

I downloaded from

http://packages.debian.org/squeeze/i386/apache2.2-bin/download

2.2.16 deb binary.

Extracted .deb archive:
dpkg -x apache2.2-bin_2.2.16-6+squeeze1_i386.deb tmp/

Then I replaced old files:
sudo cp tmp/mod_dav* /usr/lib/apache2/modules/

restart, and now it is ok. :)

Brad Marshall (brad-marshall) wrote :

I can confirm this is still happening on lucid (10.04.3) with the following apache versions:

$ dpkg --list | grep apache
ii apache2 2.2.14-5ubuntu8.6 Apache HTTP Server metapackage
ii apache2-mpm-worker 2.2.14-5ubuntu8.6 Apache HTTP Server - high speed threaded mod
ii apache2-utils 2.2.14-5ubuntu8.6 utility programs for webservers
ii apache2.2-bin 2.2.14-5ubuntu8.6 Apache HTTP Server common binary files
ii apache2.2-common 2.2.14-5ubuntu8.6 Apache HTTP Server common files
ii libapache2-mod-python 3.3.1-8ubuntu2 Python-embedding module for Apache 2
ii python-apache-openid 2.0.1-0ubuntu1 OpenID consumer module for Apache

Do you require any more information to debug this issue? Or to get the fix into lucid?

Brad.

Steve Magoun (smagoun) on 2011-10-04
Changed in oem-priority:
importance: Undecided → Medium
Steve Magoun (smagoun) on 2011-10-24
Changed in oem-priority:
status: New → Triaged
Robbie Williamson (robbiew) wrote :

Chuck,

Is it possible to get this fix into Lucid? Or will people need to wait for the next LTS (12.04).

Changed in apache2 (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Chuck Short (zulcss)
milestone: none → lucid-updates
James M. Leddy (jm-leddy) wrote :

There was a typo in the prior patch. I think this branch will fix it. Unfortunately I don't have a copy of Lucid handy so I was not able to compile.

https://code.launchpad.net/~jm-leddy/+junk/apache2

Jochen Fahrner (jofa) wrote :

Please fix this bug on lucid.

James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :
James M. Leddy (jm-leddy) wrote :

I've attached the deb files that should fix this issue. Unfortunately as mentioned previously I don't have an LTS machine handy to test this out so I would appreciate any feedback from people having this problem.

Jochen Fahrner (jofa) wrote :

Thank you James. I Installed it on my Lucid server and it looks good at a first glance. Permissions are ok now.

James M. Leddy (jm-leddy) wrote :

That's good news. I'll request that this be SRUed.

James M. Leddy (jm-leddy) wrote :

This is the final patch that has been tested to fix the problem.

tags: added: patch
Changed in apache2 (Ubuntu):
status: Fix Released → In Progress
Changed in apache2 (Ubuntu Lucid):
status: Confirmed → In Progress
James M. Leddy (jm-leddy) wrote :

Chuck, would you please apply that patch to the apache2 Lucid branch and switch to fix committed?

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
James M. Leddy (jm-leddy) wrote :

[Impact]
This bug stems from web dav modifying files to have permissions 600 instead of the standard 644. When this happens , it is impossible for Apache to then go serve out the pages. This basically makes the webdav unusable and makes a nasty crond chmod script necessary.

[Development Fix]
First fixed upstream, then brought down as part of apache 2.2.15-3

[Stable Fix]
see attached '99-fix-mod-dav-permissions.dpatch'

[Test Case]
1) Download the original archive from http://archive.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.14.orig.tar.gz and build with "./configure --enable-dav-fs=shared --enable-dav-lock=shared --enable-dav=shared".
This should result in a mod_dav_fs.so library in modules/dav/fs/.libs. Place such a shared library in /usr/lib/apache/modules as a replacement for the one already there.
2) Set up a DAV location like so:
 <IfModule dav_fs_module>

    <Location "/test">

        DAV on

    </Location>

</IfModule>
3) Use "cadaver" to connect to your server and PUT a file in location "test". The idea is that the permissions come out as 0600 for the standard Lucid installation and 0644 for the vanilla Apache module.

[Regression Potential]
Low. This has patch has already been applied upstream and is in use by however many 10.10, 11.04, and 11.10 users. The compiled LTS pachage has also tested by someone that is experiencing the original problem.

Changed in oem-priority:
status: Triaged → In Progress
assignee: nobody → James M. Leddy (jm-leddy)
James M. Leddy (jm-leddy) wrote :

Hi, Can this be considered for a stable update release? Please let me know if there is anything more that you need from me. This is my first time requesting a stable update release.

Jochen Fahrner (jofa) wrote :

I had no problems since I did the upgrade on my server.

Alexander Fedorov (vester) wrote :

I followed this instruction ( https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/540747/comments/41 ).
I tried to perform "git push" (via mod_dav), and then checked the files.
it's all right. =)
Thanks James M. Leddy.

I use Ubuntu 10.04.3 LTS i386 on Athlon X2 7850 and Apache from official repos

description: updated
Kevin Krafthefer (krafthefer) wrote :

this is fixed in 12.04

Changed in oem-priority:
status: In Progress → Won't Fix
James M. Leddy (jm-leddy) wrote :

Since everyone is content with using the testing packages attached to this bug, I'm marking this wontfix for now. If you would like a supported package delivered as an SRU, please comment and reopen (if possible).

Changed in apache2 (Ubuntu Lucid):
status: In Progress → Won't Fix
Jochen Fahrner (jofa) wrote :

Why will it not be fixed in Lucid? Is this what you call "long term support"? :-(

Yesterday a software update on my server has overwritten James Debian packages and my webdav was broken again. I spent 2 hours to remove the broken updates and install the patched packages again. This way I'm missing the security updates on my server. :-(

Colin Watson (cjwatson) wrote :

That sounds like a request to have "a supported package delivered as an SRU", per comment #46. Reopening.

Changed in apache2 (Ubuntu Lucid):
status: Won't Fix → In Progress
Alex Tomlins (alex-tomlins) wrote :

I would also like to see "a supported package delivered as an SRU" if possible.

thanks,
Alex

Hello Roy, or anyone else affected,

Accepted apache2 into lucid-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apache2 (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Jochen Fahrner (jofa) wrote :

Thanks for the fix. I installed apache2 from lucid-proposed. Permissions are ok again.

Colin Watson (cjwatson) on 2012-03-05
tags: added: verification-done
removed: verification-needed
Alex Tomlins (alex-tomlins) wrote :

I've also installed the package from proposed, and all is well.

Alexander Fedorov (vester) wrote :

I've too also installed the package from proposed, and all is well.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.9

---------------
apache2 (2.2.14-5ubuntu8.9) lucid-proposed; urgency=low

  * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix webdav permissions,
    backported from trunk Thanks to James M. Leady (LP: #540747)
 -- Chuck Short <email address hidden> Fri, 02 Mar 2012 14:43:08 -0500

Changed in apache2 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.