Mailing List Archive

Apache is unable to access /tmp in any way
This problem happened in a recent apache release before version 2.4.55.
I encountered this after a system upgrade a month ago.


Apache is unable to access /tmp in any way.


We may let apache host some external websites by:

> Alias "/ext" "/path/to/external"
> <Directory "/path/to/external">
>      Options Indexes
>      Require all granted
> </Directory>


You can access that through http://yourwebsite/ext

This works most of the time. Changing "/path/to/external" to any path
works fine including /bin, /srv, /etc ...

Except for anything under /tmp.

I always get 403 Forbidden for that.

For other directories, as long as apache has access permission on them,
I could always get their content listed.

Only for /tmp I get 403 Forbidden.

Indexing (/ext) and actual file accessing (/ext/index.html) are both
forbidden.


Why is /tmp different from others?

Changing permission of /tmp to 755 does not work, either.


Debug log here:

> [authz_core:debug] [pid 4469:tid
> 140408108734144]mod_authz_core.c(815): [client 127.0.0.1:37804]
> AH01626: authorization result of Require all denied: denied
> [authz_core:debug] [pid 4469:tid
> 140408108734144]mod_authz_core.c(815): [client 127.0.0.1:37804]
> AH01626: authorization result of <RequireAny>: denied
> [authz_core:error] [pid 4469:tid 140408108734144]
> [client127.0.0.1:37804] AH01630: client denied by server
> configuration: /tmp/http


Build options:

> ./configure --sbindir=/usr/bin \
>      --enable-layout=Arch \
>      --enable-mpms-shared=all \
>      --enable-modules=all \
>      --enable-mods-shared=all \
>      --enable-so \
>      --enable-suexec \
>      --with-suexec-caller=http \
>      --with-suexec-docroot=/srv/http \
>      --with-suexec-logfile=/var/log/httpd/suexec.log \
>      --with-suexec-bin=/usr/bin/suexec \
>      --with-suexec-uidmin=99 --with-suexec-gidmin=99 \
>      --enable-ldap --enable-authnz-ldap --enable-authnz-fcgi \
>      --enable-cache --enable-disk-cache --enable-mem-cache
--enable-file-cache \
>      --enable-ssl --with-ssl \
>      --enable-deflate --enable-cgi --enable-cgid \
>      --enable-proxy --enable-proxy-connect \
>      --enable-proxy-http --enable-proxy-ftp \
>      --enable-dbd --enable-imagemap --enable-ident --enable-cern-meta \
>      --enable-lua --enable-xml2enc --enable-http2 \
>      --enable-proxy-http2 --enable-md --enable-brotli \
>      --with-apr=/usr/bin/apr-1-config \
>      --with-apr-util=/usr/bin/apu-1-config \
>      --with-pcre2


Source:

https://www.apache.org/dist/httpd/httpd-2.4.55.tar.bz2


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
On Wednesday 15 February 2023 at 15:21:58, accelerator0099 wrote:

> Apache is unable to access /tmp in any way.

> I always get 403 Forbidden for that.

> Why is /tmp different from others?

My guess (and it is one) is that since /tmp can be written to by any user,
this is a security feature which stops someone running Apache in such a way
that an attacker could get some process to write either a file or a symlink
into /tmp and then be able to retrieve the content remotely over HTTP.

However, given that many systems routinely delete the contents of /tmp on
startup and/or shutdown, why would you ever want to point Apache at files which
exist there?

What is the use case for having servable content under /tmp?


Antony.

--
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

Please reply to the list;
please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
That's for serving temporary files, of course.


I am developing a file-sharing web application, but it hasn't finished
yet. Before finishing it if I upload something to or download something
from the server those files are stored in /tmp. In most cases they are
just temporary files and should be removed after use. I have used this
for some time, until a recent system upgrade which changed apache's
behavior and disallowed me accessing /tmp.


Thanks for explaining the reason! I'm just astonished to know that
apache could make such big changes today.


On 2/15/23 22:33, Antony Stone wrote:
> On Wednesday 15 February 2023 at 15:21:58, accelerator0099 wrote:
>
>> Apache is unable to access /tmp in any way.
>> I always get 403 Forbidden for that.
>> Why is /tmp different from others?
> My guess (and it is one) is that since /tmp can be written to by any user,
> this is a security feature which stops someone running Apache in such a way
> that an attacker could get some process to write either a file or a symlink
> into /tmp and then be able to retrieve the content remotely over HTTP.
>
> However, given that many systems routinely delete the contents of /tmp on
> startup and/or shutdown, why would you ever want to point Apache at files which
> exist there?
>
> What is the use case for having servable content under /tmp?
>
>
> Antony.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
> Except for anything under /tmp.
>
> I always get 403 Forbidden for that.
>

What's the verbatim ErrorLog entry for it?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
Hello,

I am not sure that the answer is correct. I briefly tried to set up
Apache/2.4.55 with /tmp as you described and it seems to work fine. Are you
sure that there is no issue with permissions in subdirectories/files
themselves?

Regards,


On Wed, Feb 15, 2023 at 4:06 PM accelerator0099 <accelerator0099@gmail.com>
wrote:

> That's for serving temporary files, of course.
>
>
> I am developing a file-sharing web application, but it hasn't finished
> yet. Before finishing it if I upload something to or download something
> from the server those files are stored in /tmp. In most cases they are
> just temporary files and should be removed after use. I have used this
> for some time, until a recent system upgrade which changed apache's
> behavior and disallowed me accessing /tmp.
>
>
> Thanks for explaining the reason! I'm just astonished to know that
> apache could make such big changes today.
>
>
> On 2/15/23 22:33, Antony Stone wrote:
> > On Wednesday 15 February 2023 at 15:21:58, accelerator0099 wrote:
> >
> >> Apache is unable to access /tmp in any way.
> >> I always get 403 Forbidden for that.
> >> Why is /tmp different from others?
> > My guess (and it is one) is that since /tmp can be written to by any
> user,
> > this is a security feature which stops someone running Apache in such a
> way
> > that an attacker could get some process to write either a file or a
> symlink
> > into /tmp and then be able to retrieve the content remotely over HTTP.
> >
> > However, given that many systems routinely delete the contents of /tmp on
> > startup and/or shutdown, why would you ever want to point Apache at
> files which
> > exist there?
> >
> > What is the use case for having servable content under /tmp?
> >
> >
> > Antony.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
Vladimír Chlup
Re: Apache is unable to access /tmp in any way [ In reply to ]
It works fine for /tmp itself, but says 403 for any directories under
/tmp, regardless of their permissions (neither 777 nor 1777 works)


All directories are owned by root and root group


ErrorLog entry:

> ErrorLog "/var/log/httpd/error_log"
>
> LogLevel debug
>
> <IfModule log_config_module>
>     #
>     # The following directives define some format nicknames for use with
>     # a CustomLog directive (see below).
>     #
>     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
>     LogFormat "%h %l %u %t \"%r\" %>s %b" common
>
>     <IfModule logio_module>
>       # You need to enable mod_logio.c to use %I and %O
>       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio
>     </IfModule>
>
>     #
>     # The location and format of the access logfile (Common Logfile
Format).
>     # If you do not define any access logfiles within a <VirtualHost>
>     # container, they will be logged here.  Contrariwise, if you *do*
>     # define per-<VirtualHost> access logfiles, transactions will be
>     # logged therein and *not* in this file.
>     #
>     CustomLog "/var/log/httpd/access_log" combined
>
>     #
>     # If you prefer a logfile with access, agent, and referer information
>     # (Combined Logfile Format) you can use the following directive.
>     #
>     #CustomLog "/var/log/httpd/access_log" combined
> </IfModule>

On 2/15/23 23:14, Vladimir Chlup wrote:
> Hello,
>
> I am not sure that the answer is correct. I briefly tried to set up
> Apache/2.4.55 with /tmp as you described and it seems to work fine.
> Are you sure that there is no issue with permissions in
> subdirectories/files themselves?
>
> Regards,
>
>
> On Wed, Feb 15, 2023 at 4:06 PM accelerator0099
> <accelerator0099@gmail.com> wrote:
>
> That's for serving temporary files, of course.
>
>
> I am developing a file-sharing web application, but it hasn't
> finished
> yet. Before finishing it if I upload something to or download
> something
> from the server those files are stored in /tmp. In most cases they
> are
> just temporary files and should be removed after use. I have used
> this
> for some time, until a recent system upgrade which changed apache's
> behavior and disallowed me accessing /tmp.
>
>
> Thanks for explaining the reason! I'm just astonished to know that
> apache could make such big changes today.
>
>
> On 2/15/23 22:33, Antony Stone wrote:
> > On Wednesday 15 February 2023 at 15:21:58, accelerator0099 wrote:
> >
> >> Apache is unable to access /tmp in any way.
> >> I always get 403 Forbidden for that.
> >> Why is /tmp different from others?
> > My guess (and it is one) is that since /tmp can be written to by
> any user,
> > this is a security feature which stops someone running Apache in
> such a way
> > that an attacker could get some process to write either a file
> or a symlink
> > into /tmp and then be able to retrieve the content remotely over
> HTTP.
> >
> > However, given that many systems routinely delete the contents
> of /tmp on
> > startup and/or shutdown, why would you ever want to point Apache
> at files which
> > exist there?
> >
> > What is the use case for having servable content under /tmp?
> >
> >
> > Antony.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> --
> Vladimír Chlup

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
> ErrorLog entry:

I mean the contents of the log.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
I remember I have provided them in my first email. The server had only 3 lines of log except startup information.

 > [authz_core:debug] [pid 4469:tid 140408108734144] mod_authz_core.c(815): [client 127.0.0.1:37804] AH01626: authorization result of Require all denied: denied
 > [authz_core:debug] [pid 4469:tid 140408108734144] mod_authz_core.c(815): [client 127.0.0.1:37804] AH01626: authorization result of <RequireAny>: denied
 > [authz_core:error] [pid 4469:tid 140408108734144] [client 127.0.0.1:37804] AH01630: client denied by server configuration: /tmp/http

On 2/16/23 00:35, Eric Covener wrote:
>> ErrorLog entry:
> I mean the contents of the log.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache is unable to access /tmp in any way [ In reply to ]
> I always get 403 Forbidden for that.

I can recall when I first downloaded one of these web servers , if you put
an incorrect url for which a pages didn't exists your directory structure
appeared with full http access to anyone.

Clearly the restriction on /tmp is an improvement.




On Wed, 15 Feb 2023, 15:07 Eric Covener, <covener@gmail.com> wrote:

> > Except for anything under /tmp.
> >
> > I always get 403 Forbidden for that.
> >
>
> What's the verbatim ErrorLog entry for it?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>