[Apparmor-general] x access for all files served by apache?!
Crispin Cowan
crispin at mercenarylinux.com
Sun Jan 13 15:19:10 MST 2008
Christian Boltz wrote:
> I found some interesting things in my audit.log - it seems apache uses x
> permissions for any file it serves if the file has execute permissions.
> Example (anonymized):
>
> type=APPARMOR msg=audit(1200045134.462:703287): PERMITTING x access
> to /home/www/.../httpdocs/typo3/typo3conf/ext/.../gsttopcontent_defaultlink_icon.gif
> (httpd2-prefork(32563) profile /usr/sbin/httpd2-prefork active
> vhost_...)
>
> ls -l output:
> -rwxrwxr-x ... gsttopcontent_defaultlink_icon.gif
>
> Well, x permissions for a gif image are crazy, but there are people out
> there that have even better ideas than murphy: customers ;-)
>
> Files without x permissions do not cause the mentioned log message.
>
> Is it expected behaviour that apache executes image files with x
> permissions? (And: Is the apparmor mailinglist the correct place for
> this? Or should I file a bugreport against apache?)
>
The AppArmor list is the correct place if you believe that Apache did
*not* try to use execute permissions, and this is a bug in AppArmor.
However, if you think that Apache really did ask for execute
permissions, then AppArmor is functioning correctly, and you need to
talk to Apache people about it.
This is an example of what I call an "AppArmor WtF? moment" :-) when
AppArmor highlights weird behavior in your software. My first (and still
favorite) was when I caught Gaim running wget on startup :)
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
Itanium. Vista. GPLv3. Complexity at work.
More information about the Apparmor-general
mailing list