apache 2 module's permissions and interaction with system

31/03/2005, 16h07

I'm trying to convert a working module from apache 1 to 2.0.52 on
Fedora Core 3.

My problem is that the module seems to be quite disconnected from the
rest of the system, and in my tests can't manage to:
1. find if an external file exists:
access("path/file",F_OK) returns errno=13 (EACCESS)
2. send signal to a process:
signal(pid,SIGCLD) returns errno=1 (EPERM).

The above problems disappear if I change in httpd.conf the user/group
from apache/apache to some other account.
I conclude that this problem has to do with the permissions of the
apache user/group.

Can someone throw some light on the permissions of the apache account,
and explain if it's possible for a module to interact with the rest of
the system (specifically for the above 2 problems) when running under
this default account ?

Thanks for any or information,
Harry

02/04/2005, 08h25

"harry dot news" <"harry dot news"@armadillo.fr> said:
>I'm trying to convert a working module from apache 1 to 2.0.52 on
>Fedora Core 3.
....
>Can someone throw some light on the permissions of the apache account,
>and explain if it's possible for a module to interact with the rest of
>the system (specifically for the above 2 problems) when running under
>this default account ?

If I recall correctly, Fedora Core 3 distribution has some security-
enhancement patches within the OS kernel. Look for 'SELinux', and
I think you should find what you're looking for.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

02/04/2005, 22h14

harry dot news wrote:

> My problem is that the module seems to be quite disconnected from the
> rest of the system, and in my tests can't manage to:
> 1. find if an external file exists:
> access("path/file",F_OK) returns errno=13 (EACCESS)
> 2. send signal to a process:
> signal(pid,SIGCLD) returns errno=1 (EPERM).

That's basic security, and (unless you do something unusual and
probably dangerous) is the same in every apache version (and
indeed in its predecessor, the NCSA server).

Corollary: since you're converting a 1.x module, you can install
and test that on the same system as a control.

> The above problems disappear if I change in httpd.conf the user/group
> from apache/apache to some other account.
> I conclude that this problem has to do with the permissions of the
> apache user/group.

That'll be down to the setup on your platform (see Juha's reply for
a likely culprit).

--
Nick Kew

04/04/2005, 13h53

Thanks for the answers, but SELinux doesn't seem to explain the problem.
The file /etc/selinux/config contains the lines -

SELINUX=disabled
SELINUXTYPE=targeted

which seems to rule out SELinux.
Is this correct ?

Harry

Juha Laiho wrote:

> "harry dot news" <"harry dot news"@armadillo.fr> said:
>
>>I'm trying to convert a working module from apache 1 to 2.0.52 on
>>Fedora Core 3.
>
> ...
>
>>Can someone throw some light on the permissions of the apache account,
>>and explain if it's possible for a module to interact with the rest of
>>the system (specifically for the above 2 problems) when running under
>>this default account ?
>
>
> If I recall correctly, Fedora Core 3 distribution has some security-
> enhancement patches within the OS kernel. Look for 'SELinux', and
> I think you should find what you're looking for.

07/04/2005, 12h31

Thanks for the answers, but SELinux doesn't seem to explain the problem.
The file /etc/selinux/config contains the lines -

SELINUX=disabled
SELINUXTYPE=targeted

which seems to rule out SELinux.
Is this correct ?

Harry

Juha Laiho wrote:

> "harry dot news" <"harry dot news"@armadillo.fr> said:
>
>>I'm trying to convert a working module from apache 1 to 2.0.52 on
>>Fedora Core 3.
>
> ...
>
>>Can someone throw some light on the permissions of the apache account,
>>and explain if it's possible for a module to interact with the rest of
>>the system (specifically for the above 2 problems) when running under
>>this default account ?
>
>
> If I recall correctly, Fedora Core 3 distribution has some security-
> enhancement patches within the OS kernel. Look for 'SELinux', and
> I think you should find what you're looking for.

31/03/2005, 16h07	#1
harry dot news Messages: n/a Hébergeur:	apache 2 module's permissions and interaction with system I'm trying to convert a working module from apache 1 to 2.0.52 on Fedora Core 3. My problem is that the module seems to be quite disconnected from the rest of the system, and in my tests can't manage to: 1. find if an external file exists: access("path/file",F_OK) returns errno=13 (EACCESS) 2. send signal to a process: signal(pid,SIGCLD) returns errno=1 (EPERM). The above problems disappear if I change in httpd.conf the user/group from apache/apache to some other account. I conclude that this problem has to do with the permissions of the apache user/group. Can someone throw some light on the permissions of the apache account, and explain if it's possible for a module to interact with the rest of the system (specifically for the above 2 problems) when running under this default account ? Thanks for any or information, Harry

02/04/2005, 08h25	#2
Juha Laiho Messages: n/a Hébergeur:	Re: apache 2 module's permissions and interaction with system "harry dot news" <"harry dot news"@armadillo.fr> said: >I'm trying to convert a working module from apache 1 to 2.0.52 on >Fedora Core 3. .... >Can someone throw some light on the permissions of the apache account, >and explain if it's possible for a module to interact with the rest of >the system (specifically for the above 2 problems) when running under >this default account ? If I recall correctly, Fedora Core 3 distribution has some security- enhancement patches within the OS kernel. Look for 'SELinux', and I think you should find what you're looking for. -- Wolf a.k.a. Juha Laiho Espoo, Finland (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++ "...cancel my subscription to the resurrection!" (Jim Morrison)

02/04/2005, 22h14	#3
Nick Kew Messages: n/a Hébergeur:	Re: apache 2 module's permissions and interaction with system harry dot news wrote: > My problem is that the module seems to be quite disconnected from the > rest of the system, and in my tests can't manage to: > 1. find if an external file exists: > access("path/file",F_OK) returns errno=13 (EACCESS) > 2. send signal to a process: > signal(pid,SIGCLD) returns errno=1 (EPERM). That's basic security, and (unless you do something unusual and probably dangerous) is the same in every apache version (and indeed in its predecessor, the NCSA server). Corollary: since you're converting a 1.x module, you can install and test that on the same system as a control. > The above problems disappear if I change in httpd.conf the user/group > from apache/apache to some other account. > I conclude that this problem has to do with the permissions of the > apache user/group. That'll be down to the setup on your platform (see Juha's reply for a likely culprit). -- Nick Kew

04/04/2005, 13h53	#4
harry dot news Messages: n/a Hébergeur:	Re: apache 2 module's permissions and interaction with system Thanks for the answers, but SELinux doesn't seem to explain the problem. The file /etc/selinux/config contains the lines - SELINUX=disabled SELINUXTYPE=targeted which seems to rule out SELinux. Is this correct ? Harry Juha Laiho wrote: > "harry dot news" <"harry dot news"@armadillo.fr> said: > >>I'm trying to convert a working module from apache 1 to 2.0.52 on >>Fedora Core 3. > > ... > >>Can someone throw some light on the permissions of the apache account, >>and explain if it's possible for a module to interact with the rest of >>the system (specifically for the above 2 problems) when running under >>this default account ? > > > If I recall correctly, Fedora Core 3 distribution has some security- > enhancement patches within the OS kernel. Look for 'SELinux', and > I think you should find what you're looking for.

07/04/2005, 12h31	#5
harry dot news at armadillo dot fr Messages: n/a Hébergeur:	Re: apache 2 module's permissions and interaction with system Thanks for the answers, but SELinux doesn't seem to explain the problem. The file /etc/selinux/config contains the lines - SELINUX=disabled SELINUXTYPE=targeted which seems to rule out SELinux. Is this correct ? Harry Juha Laiho wrote: > "harry dot news" <"harry dot news"@armadillo.fr> said: > >>I'm trying to convert a working module from apache 1 to 2.0.52 on >>Fedora Core 3. > > ... > >>Can someone throw some light on the permissions of the apache account, >>and explain if it's possible for a module to interact with the rest of >>the system (specifically for the above 2 problems) when running under >>this default account ? > > > If I recall correctly, Fedora Core 3 distribution has some security- > enhancement patches within the OS kernel. Look for 'SELinux', and > I think you should find what you're looking for.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email