ACL filesystem incompatibility and potential race condition

[prev] [thread] [next] [Date index for 2005/03/01]

Greetings,

I use mod_perl 2 on a Debian Linux system, from the Debian supplied
package.  I also use ext3 and jfs filesystems, which provide ACL
capabilites for assigning permissions.  In my particular
configuration, files are owned by my user and group, and not
world-readable.  In order for Apache (httpd) to read files to be
served, I assign an ACL giving the group that Apache runs as access to
read files (www-data on Debian).  In the process of doing this, I
noted that Apache serves files protected in such a manner without
incident, but mod_perl's Registry and PerlRun handlers refuse to.

In an attempt to fix this problem a year ago, I worked to get a patch
added on Debian systems that will use the "use filetest 'access'"
pragma inside of RegistryCooker.  RegistryCooker must also be modified
to use $r->filename with the -r and -x filetests, since the "filetest
'access'" pragma requires a filename, not stat() info.

Recently, I found that PerlRun was failing, even with the above patch.
 This made me look closer at the code in RegistryCooker's
can_compile() function.  Why are we testing whether the file is
readable/executable before compilation, if this operation is not
executed atomically with the subsequent
ModPerl::Util::slurp_filename()/modperl_util.c:apr_file_open()?  This
seems to be insecure at worst and unreliable at best.

I propose that the read/execute/directory tests be removed from
can_compile().  The slurp_filename() method should not assume success
as it does now, but instead return an error code indicating that a
file could not be opened/does not exist/is a directory/etc.

This will remove the non-atomicness and will make ACL-protected files
work transparently, as they should.  This would also make it
unnecessary to set the execute bit on non-Win32 systems.

I would supply a patch to do this, but I am not a great C/XS
programmer, nor am I highly familar with APR.

I feel it is important that this change makes the official 2.0
release, since other packages do not have similar problems with ACL
filesystems (mod_python, Apache Tomcat, PHP).

Please consider my proposal and send me any comments or questions.

Thanks,
Damon