apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 51560] apr_stat for APR_FINFO_NORM using GetEffectiveRightsFromAcl does not work in complex Active Directory forest
Date Thu, 01 Aug 2019 09:49:08 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=51560

--- Comment #5 from Thorsten Schöning <tschoening@am-soft.de> ---
I would like to mention an issue I ran into recently and while I don't think
its the same one, it sounds at least related:

http://mail-archives.apache.org/mod_mbox/perl-modperl/201907.mbox/ajax/%3C1649095749.20190731190733%40am-soft.de%3E

The main difference is that in my case no Active Directory is involved, but the
problem occurs with Windows-users without admin-privileges. My setup is running
mod_perl within HTTPd as a Windows service and that service uses a standard
user in Windows without any admin-privileges. In that context using "apr_stat"
with APR_FINFO_NORM fails, while the same usage with APR_FINFO_MIN succeeds.
File::stat::stat of Perl succeeds as well.

> sub finfo    { $_[0]->{finfo}||=APR::Finfo::stat($_[0]->{filename},
>                                                  APR::Const::FINFO_NORM,
>                                                  $_[0]->pool); }

vs.

> sub finfo    { $_[0]->{finfo}||=APR::Finfo::stat($_[0]->{filename},
>                                                  APR::Const::FINFO_MIN,
>                                                  $_[0]->pool); }

Using Process Monitor things look like Windows internally requests some
unexpected additional authentication. The following two lines in the logs are
the last ones directly associated to mod_perl, because "mandkomm.pl" belongs to
something I'm testing mod_perl with.

> 18:12:09,8533141      httpd.exe       20396   QueryRemoteProtocolInformation  C:\Users\tschoening\Documents\Eclipse\Perl
DocBeam\MandKomm\mandkomm.pl INVALID PARAMETER
> 18:12:09,8533617      httpd.exe       20396   QuerySecurityFile       C:\Users\tschoening\Documents\Eclipse\Perl
DocBeam\MandKomm\mandkomm.pl SUCCESS Information: Owner, Group, DACL

Directly afterwards the following Windows-related internal stuff happens:

> 18:12:09,8557370      httpd.exe       20396   CreateFile      C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
 SUCCESS Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode:
Read, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8557889      httpd.exe       20396   CreateFileMapping       C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
 FILE LOCKED WITH ONLY READERS   SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8558183      httpd.exe       20396   QueryStandardInformationFile    C:\Program
Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
 SUCCESS AllocationSize: 16.384, EndOfFile: 14.720, NumberOfLinks: 1, DeletePending: False,
Directory: False
> 18:12:09,8558750      httpd.exe       20396   CreateFileMapping       C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
 SUCCESS SyncType: SyncTypeOther
> 18:12:09,8562021      httpd.exe       20396   CreateFile      C:\Program Files\Apache
Software Foundation\httpd\bin\logoncli.dll      NAME NOT FOUND  Desired Access: Read Attributes,
Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a
> 18:12:09,8564963      httpd.exe       20396   CreateFile      C:\Windows\System32\logoncli.dll
       SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point,
Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8565506      httpd.exe       20396   QueryBasicInformationFile       C:\Windows\System32\logoncli.dll
       SUCCESS CreationTime: 15.09.2018 09:28:46, LastAccessTime: 15.09.2018 09:28:46, LastWriteTime:
15.09.2018 09:28:46, ChangeTime: 18.12.2018 14:29:50, FileAttributes: A
> 18:12:09,8565821      httpd.exe       20396   CloseFile       C:\Windows\System32\logoncli.dll
       SUCCESS 
> 18:12:09,8567588      httpd.exe       20396   CreateFile      C:\Windows\System32\logoncli.dll
       SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition:
Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read,
Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8568147      httpd.exe       20396   CreateFileMapping       C:\Windows\System32\logoncli.dll
       FILE LOCKED WITH ONLY READERS   SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8568718      httpd.exe       20396   CreateFileMapping       C:\Windows\System32\logoncli.dll
       SUCCESS SyncType: SyncTypeOther
> 18:12:09,8570352      httpd.exe       20396   CloseFile       C:\Windows\System32\logoncli.dll
       SUCCESS 
> 18:12:09,8577214      httpd.exe       20396   CreateFile      C:\Program Files\Apache
Software Foundation\httpd\bin\netutils.dll      NAME NOT FOUND  Desired Access: Read Attributes,
Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a
> 18:12:09,8580361      httpd.exe       20396   CreateFile      C:\Windows\System32\netutils.dll
       SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point,
Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8581042      httpd.exe       20396   QueryBasicInformationFile       C:\Windows\System32\netutils.dll
       SUCCESS CreationTime: 15.09.2018 09:28:46, LastAccessTime: 15.09.2018 09:28:46, LastWriteTime:
15.09.2018 09:28:46, ChangeTime: 18.12.2018 14:29:37, FileAttributes: A
> 18:12:09,8581470      httpd.exe       20396   CloseFile       C:\Windows\System32\netutils.dll
       SUCCESS 
> 18:12:09,8583470      httpd.exe       20396   CreateFile      C:\Windows\System32\netutils.dll
       SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition:
Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read,
Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8584031      httpd.exe       20396   CreateFileMapping       C:\Windows\System32\netutils.dll
       FILE LOCKED WITH ONLY READERS   SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8584618      httpd.exe       20396   CreateFileMapping       C:\Windows\System32\netutils.dll
       SUCCESS SyncType: SyncTypeOther
> 18:12:09,8586230      httpd.exe       20396   CloseFile       C:\Windows\System32\netutils.dll
       SUCCESS 
> 18:12:09,8622225      httpd.exe       20396   CreateFile      \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON
  SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Synchronous
IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0,
OpenResult: Superseded
> 18:12:09,8622960      httpd.exe       20396   WriteFile       \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON
  BAD NETWORK PATH        Offset: 0, Length: 78, Priority: Normal
> 18:12:23,4057050      httpd.exe       20396   CloseFile       \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON
  SUCCESS 
> 18:12:23,4094073      httpd.exe       20396   CreateFile      \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON
  SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Synchronous
IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0,
OpenResult: Superseded
> 18:12:23,4095101      httpd.exe       20396   WriteFile       \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON
          Offset: 0, Length: 78, Priority: Normal

The NETLOGON-thing repeats until I guess a timeout of ~30 seconds happens and
starting HTTPd simply fails in the end.

As APR_FINFO_NORM seems to be normal usage, I don't think higher privileges
than those of a standard user should be necessary to succeed. The problem
happens with HTTPd using APR 1.70. as well as with APR 1.6.5. The thread at
dev@ mention changes regarding symlinks/junctions in both versions and while I
do use junctions in that context, the problem occurs with and without those in
both versions of APR.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message