[Apparmor-general] x access for all files served by apache?!
John Johansen
jjohansen at suse.de
Sun Jan 13 23:45:30 MST 2008
On Sun, Jan 13, 2008 at 02:19:10PM -0800, Crispin Cowan wrote:
> Christian Boltz wrote:
> > I found some interesting things in my audit.log - it seems apache uses x
> > permissions for any file it serves if the file has execute permissions.
> > Example (anonymized):
> >
> > type=APPARMOR msg=audit(1200045134.462:703287): PERMITTING x access
> > to /home/www/.../httpdocs/typo3/typo3conf/ext/.../gsttopcontent_defaultlink_icon.gif
> > (httpd2-prefork(32563) profile /usr/sbin/httpd2-prefork active
> > vhost_...)
> >
> > ls -l output:
> > -rwxrwxr-x ... gsttopcontent_defaultlink_icon.gif
> >
> > Well, x permissions for a gif image are crazy, but there are people out
> > there that have even better ideas than murphy: customers ;-)
> >
> > Files without x permissions do not cause the mentioned log message.
> >
> > Is it expected behaviour that apache executes image files with x
> > permissions? (And: Is the apparmor mailinglist the correct place for
> > this? Or should I file a bugreport against apache?)
> >
> The AppArmor list is the correct place if you believe that Apache did
> *not* try to use execute permissions, and this is a bug in AppArmor.
>
> However, if you think that Apache really did ask for execute
> permissions, then AppArmor is functioning correctly, and you need to
> talk to Apache people about it.
>
> This is an example of what I call an "AppArmor WtF? moment" :-) when
> AppArmor highlights weird behavior in your software. My first (and still
> favorite) was when I caught Gaim running wget on startup :)
>
While I agree this is a wtf moment, I would like a little more detail of
just what apache is doing. What are the log events before and after this?
I know very little about apache, having only set it up toyed with it once or
twice in a toy environment, but it may well be that apache apache expects
permissions to be set such that only things it should execute have x
permissions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20080113/becc4453/attachment.pgp
More information about the Apparmor-general
mailing list