MacOS X Circumvents Apache Security

← Back to Stories (view on slashdot.org)

MacOS X Circumvents Apache Security

Posted by krow on Tuesday June 12, 2001 @10:27AM from the if-you-leave-the-window-open-does-it-matter-that-you-locked-the-door dept.

cloudscout writes: "This Report at SecurityFocus.com warns of a problem with the Apache webserver running under Apple's new MacOS X operating system with the case-insensitive HFS+ filesystem. HFS+ is the default (and recommended) filesystem for MacOS X, yet its case-insensitive nature circumvents directory-based security in the Apache webserver that comes with the operating system. The Server version of MacOS X ships with a module that fixes this problem, but this module isn't available unless you purchase MacOS X Server. So much for Apple's boast about 'giving back to the open-source community.'"
From looking through SecurityFocus, this doesn't appear to be the only problem.

8 of 14 comments (clear)

Min score:

Reason:

Sort:

mod_hfs_apple and Other Mac OS X Server Components by Anonymous Coward · 2001-06-14 10:02 · Score: 2

Looks like the Server components just weren't posted yet, but they are now: http://www.opensource.apple.com/projects/darwin/da rwinserver/. This should fix the problem.
Easily patched by CoolVibe · 2001-06-13 17:37 · Score: 2

Some strategically placed tolower() calls in the source would fix this I think. My guess is that the module from apple basically does this too. I got a Darwin/OSX box at home. I will take a gander amd make a patch if I have the time. Shouldn't be a biggie

Hey, you got the source, fix it. You don't even need apple's module. Maybe a #ifdef DARWIN macro for this would be an idea.
--
Slashdot didn't accept your submission? hackerheaven.org will!
Re:So how does Apache cope on Windows? by Coward,+Anonymous · 2001-06-13 15:47 · Score: 4

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too

Apache uses ap_os_canonical_filename() which on case sensitive unices is a macro to replace it with the filename, but the util_win32.c provides an ap_os_canonical_filename function which converts the name to lowercase thus allowing "This" and "ThiS" to match (both being returned as "this"), so something similar is needed on case-insensitive MacOS machines.
Re:So how does Apache cope on Windows? by babbage · 2001-06-12 21:49 · Score: 2

...and upon about 30 seconds of research on SecurityFocus (which should have been done first here, doh!), it seems that case insensitivity might not be an issue on Windows after all:
"Tested against Apache 1.3.20 on Windows 98 SE (has case insensitive fs) appears not to be vulnerable."

The posts on SecurityFocus don't illuminate how the Win32 version of Apache gets around the problem, but I'm sure some enterprising soul could find the saving code in the source somewhere...

--
DO NOT LEAVE IT IS NOT REAL
Saw this coming by babbage · 2001-06-12 07:07 · Score: 3

This is just growing pains -- old school Mac used a case-insensitive filesystem, newschool Mac has to preserve support for both old HFS and new UFS. (Other Unix tools are hitting the same problem whenever case [in-]sensitivity comes up -- the MacPerl people for example are working through it at the moment, too...)
This is a problem that Apple saw coming, and handled, sorta, with a custom mod_whatever that tried to address the problem. Why they didn't release it (either as source or, if necessary, as a binary) with OSX client is a big question, and an unfortunate decision on their part, but at least it already exists. Maybe this negative publicity will get them to release it &/or fold it into the next update to the operating system.
Really though, if you're using OSX for the new &/or Unixy stuff, then you need to run it on a UFS partition so that things like this won't bite you in the ass. If you need support for OS9/Classic, then either it or the Unix stuff needs to go onto a different partition. If not, you'll constantly be hitting these sorts of problems...

--
DO NOT LEAVE IT IS NOT REAL
1. Re:Saw this coming by kilgore_47 · 2001-06-12 15:41 · Score: 2
  
  Maybe this negative publicity will get them to release it &/or fold it into the next update to the operating system.
  
  I wish. For some reason, no matter how nice apple seems they're still corporate bastards when it comes down to it. "Think Different" my ass.
  
  -
  
  --
  ___
  The way to see by faith is to shut the eye of reason. --Ben Franklin
2. Re:Saw this coming by kilgore_47 · 2001-06-14 08:09 · Score: 2
  
  Uh, maybe you missed http://www.opensource.apple.com/, but apple has released quite a bit of code and none of it is GPL'd. The GPL is the last liscense apple would use!
  
  -
  
  --
  ___
  The way to see by faith is to shut the eye of reason. --Ben Franklin
So how does Apache cope on Windows? by Pogue+Mahone · 2001-06-12 17:33 · Score: 2

So how does Apache handle the Windows (NT or whatever) filesystem. Last time I looked that was case-insensitive too. The code must be there already - just a compile time option perhaps? Or is this also a security hole waiting to be exploited?

--

--
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]