Problem: Moving the contents of www/ from case-sensitive to a case-insensitive system can result in bad permissions (on directories) and/or adding .htconfig / .htaccess to the wrong directory. Please note that the following is *not* a vulnerability in httpd itself but stems from the use of standard utilities on modern Linux systems.
Description:
On a case-sensitive system, we *tar* the contents of www/ using ?tar -cf www.tar /var/www?.
Then in a case-insensitive directory (e.g. ext4 with per-directory case-insensitive support[1]) we expand the tarball using: ?tar -xf www.tar -C /mnt/icase?.
Scenario 1: Bad Perms on directory
=========
At Source (/var/www):
www/
hidden/ (perm=700)
secret.txt
HIDDEN/ (perm=755)
After moving to /mnt/icase:
www/
hidden/ (perm=755)
secret.txt
Scenario 2: Merging directory contents
=========
At Source (/var/www):
www/
protected/ (group=www-data,perm=750)
.htaccess
user-file.txt
PROTECTED/ (perm=755)
.htaccess (empty)
After moving to /mnt/icase:
www/
protected/ (group=www-data,perm=755)
.htaccess (empty)
user-file.txt (now accessible over http)
The above two scenarios can also occur when transferring files using rsync.
Mentioning this in the documentation will be helpful for the community.
Tested on: Ubuntu 20.04.4 LTS, GNU tar v1.30 (amd64)
Please let me know if there are any questions.
Refer:
[1] https://www.collabora.com/news-and-blog/blog/2020/08/27/using-the-linux-kernel-case-insensitive-feature-in-ext4/
Aditya Basu
PhD Student
The Pennsylvania State University
https://www.adityabasu.me/
Description:
On a case-sensitive system, we *tar* the contents of www/ using ?tar -cf www.tar /var/www?.
Then in a case-insensitive directory (e.g. ext4 with per-directory case-insensitive support[1]) we expand the tarball using: ?tar -xf www.tar -C /mnt/icase?.
Scenario 1: Bad Perms on directory
=========
At Source (/var/www):
www/
hidden/ (perm=700)
secret.txt
HIDDEN/ (perm=755)
After moving to /mnt/icase:
www/
hidden/ (perm=755)
secret.txt
Scenario 2: Merging directory contents
=========
At Source (/var/www):
www/
protected/ (group=www-data,perm=750)
.htaccess
user-file.txt
PROTECTED/ (perm=755)
.htaccess (empty)
After moving to /mnt/icase:
www/
protected/ (group=www-data,perm=755)
.htaccess (empty)
user-file.txt (now accessible over http)
The above two scenarios can also occur when transferring files using rsync.
Mentioning this in the documentation will be helpful for the community.
Tested on: Ubuntu 20.04.4 LTS, GNU tar v1.30 (amd64)
Please let me know if there are any questions.
Refer:
[1] https://www.collabora.com/news-and-blog/blog/2020/08/27/using-the-linux-kernel-case-insensitive-feature-in-ext4/
Aditya Basu
PhD Student
The Pennsylvania State University
https://www.adityabasu.me/