[apparmor] [patch] split off apache permissions to abstractions/apache2-common

[John Johansen]

On 12/29/2011 09:50 AM, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 28. Dezember 2011 schrieb John Johansen:
>> On 12/21/2011 04:17 PM, Christian Boltz wrote:
>>> Note: My version of abstractions/apache2-common does not allow to
>>> read /.htaccess (I changed /**.htaccess ->   /**/.htaccess) which
>>> slightly reduces permissions for ^HANDLING_UNTRUSTED_INPUT.
>>> However I doubt someone has a .htaccess in / ;-)
>>
>> Ugh, tbh I don't even like /**/.htaccess can we perhaps add a tunable
>> for this, even if the base value used is just /**/
>>
>> Basically I really don't like letting .htaccess reside just about
>> anywhere, and maybe a tunable would make this more palatable
>
> I agree that .htaccess everywhere doesn't really make sense, and sane
> apache configurations have "AllowOverride none" for / and only allow
> AllowOverride (aka using a .htaccess file) in the docroot.
>
> Nevertheless, there is a big problem - if apache finds a .htaccess file
> and can't read it (after chmod 000 or because AppArmor blocks it), you
> get a nice log message:
>
>      [Thu Dec 29 18:34:41 2011] [crit] [client 127.0.0.1] (13)Permission
>      denied: /home/cb/public_html/.htaccess pcfg_openfile: unable to
>      check htaccess file, ensure it is readable
>
> The real problem is how apache handles this situation - basically it
> assumes a "deny from all". This is of course the safe way (better than
> data disclosure or unauthorized access to $whatever), but it blocks
> everything inside $directory_with_unreadable_.htaccess.
>
> OTOH, a .htaccess file doesn't contain really secret content IMHO, so I
> don't see /**/.htaccess as a real problem.
>
hrmmm, okay I guess I am okay with this then

you can put it in both dev and the 2.7 branches