MacOS X Circumvents Apache Security

← Back to Stories (view on slashdot.org)

MacOS X Circumvents Apache Security

Posted by krow on Tuesday June 12, 2001 @10:27AM from the if-you-leave-the-window-open-does-it-matter-that-you-locked-the-door dept.

cloudscout writes: "This Report at SecurityFocus.com warns of a problem with the Apache webserver running under Apple's new MacOS X operating system with the case-insensitive HFS+ filesystem. HFS+ is the default (and recommended) filesystem for MacOS X, yet its case-insensitive nature circumvents directory-based security in the Apache webserver that comes with the operating system. The Server version of MacOS X ships with a module that fixes this problem, but this module isn't available unless you purchase MacOS X Server. So much for Apple's boast about 'giving back to the open-source community.'"
From looking through SecurityFocus, this doesn't appear to be the only problem.

14 comments

Min score:

Reason:

Sort:

the patch has been posted for over a week by Anonymous Coward · 2001-06-16 13:38 · Score: 1

download the patch, it's been there since last Tuesday... http://www.opensource.apple.com/projects/darwin/da rwinserver
mod_hfs_apple and Other Mac OS X Server Components by Anonymous Coward · 2001-06-14 10:02 · Score: 2

Looks like the Server components just weren't posted yet, but they are now: http://www.opensource.apple.com/projects/darwin/da rwinserver/. This should fix the problem.
Re:Saw this coming by blech · 2001-06-14 17:12 · Score: 1

Macintouch reported today (2001-06-15) that Apple's mod_hfs_apple.c which fixes the problem is available as part of the Darwin Server source code, but also notes that it has not been tested on any 'client' version of Mac OS X.

--
DO NOT LEAVE IT IS NOT REAL
Easily patched by CoolVibe · 2001-06-13 17:37 · Score: 2

Some strategically placed tolower() calls in the source would fix this I think. My guess is that the module from apple basically does this too. I got a Darwin/OSX box at home. I will take a gander amd make a patch if I have the time. Shouldn't be a biggie

Hey, you got the source, fix it. You don't even need apple's module. Maybe a #ifdef DARWIN macro for this would be an idea.
--
Slashdot didn't accept your submission? hackerheaven.org will!
Re:So how does Apache cope on Windows? by Coward,+Anonymous · 2001-06-13 15:47 · Score: 4

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too

Apache uses ap_os_canonical_filename() which on case sensitive unices is a macro to replace it with the filename, but the util_win32.c provides an ap_os_canonical_filename function which converts the name to lowercase thus allowing "This" and "ThiS" to match (both being returned as "this"), so something similar is needed on case-insensitive MacOS machines.
Re:Saw this coming by mr100percent · 2001-06-13 11:09 · Score: 1

Did you honestly think Apple is going to release portions of their code, that they paid good money to programmers to write, that isn't GPLed?
Re:So how does Apache cope on Windows? by babbage · 2001-06-12 21:28 · Score: 1

Yeah, I've been wondering about that one too. I'd never heard it discussed before this, but it does seem like it would be a hole to be fixed on any case-insensitive filesystem, including both Windows FAT32 and NTFS, in addition to Mac HFS.
I was thinking mod_speling might be a ready solution to this issue, but it might not work in the way I was hoping. This bug seems to come up during the parsing of access control settings (early in the request phase), whereas I think mod_speling comes in later, during the mapping of URLs to permitted filesystem points. I think. Nonetheless, even if it can't fix the problem out of the box, I think mod_speling could perhaps be adapted to this purpose if someone knew what they were doing. I'd take a shot myself, but my understanding of Apache's architecture is too weak to be of much value here, I think. Oh well.

--
DO NOT LEAVE IT IS NOT REAL
Re:Saw this coming by babbage · 2001-06-14 21:55 · Score: 1

Nice .sig there, "Blech" Mison. :)
(Do not leave there is no (oidvay) cabal.)

--
DO NOT LEAVE IT IS NOT REAL
Re:So how does Apache cope on Windows? by babbage · 2001-06-12 21:49 · Score: 2

...and upon about 30 seconds of research on SecurityFocus (which should have been done first here, doh!), it seems that case insensitivity might not be an issue on Windows after all:
"Tested against Apache 1.3.20 on Windows 98 SE (has case insensitive fs) appears not to be vulnerable."

The posts on SecurityFocus don't illuminate how the Win32 version of Apache gets around the problem, but I'm sure some enterprising soul could find the saving code in the source somewhere...

--
DO NOT LEAVE IT IS NOT REAL
Saw this coming by babbage · 2001-06-12 07:07 · Score: 3

This is just growing pains -- old school Mac used a case-insensitive filesystem, newschool Mac has to preserve support for both old HFS and new UFS. (Other Unix tools are hitting the same problem whenever case [in-]sensitivity comes up -- the MacPerl people for example are working through it at the moment, too...)
This is a problem that Apple saw coming, and handled, sorta, with a custom mod_whatever that tried to address the problem. Why they didn't release it (either as source or, if necessary, as a binary) with OSX client is a big question, and an unfortunate decision on their part, but at least it already exists. Maybe this negative publicity will get them to release it &/or fold it into the next update to the operating system.
Really though, if you're using OSX for the new &/or Unixy stuff, then you need to run it on a UFS partition so that things like this won't bite you in the ass. If you need support for OS9/Classic, then either it or the Unix stuff needs to go onto a different partition. If not, you'll constantly be hitting these sorts of problems...

--
DO NOT LEAVE IT IS NOT REAL
1. Re:Saw this coming by kilgore_47 · 2001-06-12 15:41 · Score: 2
  
  Maybe this negative publicity will get them to release it &/or fold it into the next update to the operating system.
  
  I wish. For some reason, no matter how nice apple seems they're still corporate bastards when it comes down to it. "Think Different" my ass.
  
  -
  
  --
  ___
  The way to see by faith is to shut the eye of reason. --Ben Franklin
2. Re:Saw this coming by kilgore_47 · 2001-06-14 08:09 · Score: 2
  
  Uh, maybe you missed http://www.opensource.apple.com/, but apple has released quite a bit of code and none of it is GPL'd. The GPL is the last liscense apple would use!
  
  -
  
  --
  ___
  The way to see by faith is to shut the eye of reason. --Ben Franklin
Interesting bias by Microsift · 2001-06-15 05:31 · Score: 1

The headline makes it sound like the error was intentional, this is clearly in the wrong topic as well, should have been bug!

--
My other sig is extremely clever...
So how does Apache cope on Windows? by Pogue+Mahone · 2001-06-12 17:33 · Score: 2

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too. The code must be there already - just a compile time option perhaps? Or is this also a security hole waiting to be exploited?

--

--
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]