[apparmor] [patch] split off apache permissions to abstractions/apache2-common

Christian Boltz apparmor at cboltz.de
Thu Dec 29 17:50:51 UTC 2011 

Hello,

Am Mittwoch, 28. Dezember 2011 schrieb John Johansen:
> On 12/21/2011 04:17 PM, Christian Boltz wrote:
> > Note: My version of abstractions/apache2-common does not allow to
> > read /.htaccess (I changed /**.htaccess ->  /**/.htaccess) which
> > slightly reduces permissions for ^HANDLING_UNTRUSTED_INPUT.
> > However I doubt someone has a .htaccess in / ;-)
> 
> Ugh, tbh I don't even like /**/.htaccess can we perhaps add a tunable
> for this, even if the base value used is just /**/
> 
> Basically I really don't like letting .htaccess reside just about
> anywhere, and maybe a tunable would make this more palatable

I agree that .htaccess everywhere doesn't really make sense, and sane 
apache configurations have "AllowOverride none" for / and only allow 
AllowOverride (aka using a .htaccess file) in the docroot.

Nevertheless, there is a big problem - if apache finds a .htaccess file 
and can't read it (after chmod 000 or because AppArmor blocks it), you 
get a nice log message:

    [Thu Dec 29 18:34:41 2011] [crit] [client 127.0.0.1] (13)Permission 
    denied: /home/cb/public_html/.htaccess pcfg_openfile: unable to 
    check htaccess file, ensure it is readable                                                                                                                                            

The real problem is how apache handles this situation - basically it 
assumes a "deny from all". This is of course the safe way (better than 
data disclosure or unauthorized access to $whatever), but it blocks 
everything inside $directory_with_unreadable_.htaccess.

OTOH, a .htaccess file doesn't contain really secret content IMHO, so I 
don't see /**/.htaccess as a real problem.


Regards,

Christian Boltz
-- 
Arroganz? Klar, ein pikfeines Restaurant mit Kleiderordnung ist
aus arrogant, Du wirst nicht gezwungen dort essen zu gehen, wenn
Du keine Krawatte tragen willst.
Das ist mit dieser Liste ganz genauso: Willst Du hier teilnehmen?
Dann bind Dir die Krawatte um... [Andreas Loesch in suse-linux]

More information about the AppArmor mailing list