Problem: Moving the contents of www/ from case-sensitive to a case-insensitive
system can result in bad permissions (on directories) and/or adding .htconfig /
.htaccess to the wrong directory. Please note that the following is *not* a
vulnerability in httpd itself but stems from the use of standard utilities on
modern Linux systems.
Description:
On a case-sensitive system, we *tar* the contents of www/ using “tar -cf
www.tar /var/www”.
Then in a case-insensitive directory (e.g. ext4 with per-directory
case-insensitive support[1]) we expand the tarball using: “tar -xf www.tar -C
/mnt/icase”.
Scenario 1: Bad Perms on directory
=========
At Source (/var/www):
www/
hidden/ (perm=700)
secret.txt
HIDDEN/ (perm=755)
After moving to /mnt/icase:
www/
hidden/ (perm=755)
secret.txt
Scenario 2: Merging directory contents
=========
At Source (/var/www):
www/
protected/ (group=www-data,perm=750)
.htaccess
user-file.txt
PROTECTED/ (perm=755)
.htaccess (empty)
After moving to /mnt/icase:
www/
protected/ (group=www-data,perm=755)
.htaccess (empty)
user-file.txt (now accessible over http)
The above two scenarios can also occur when transferring files using rsync.
Mentioning this in the documentation will be helpful for the community.
Tested on: Ubuntu 20.04.4 LTS, GNU tar v1.30 (amd64)
Please let me know if there are any questions.
Refer:
[1]
https://www.collabora.com/news-and-blog/blog/2020/08/27/using-the-linux-kernel-case-insensitive-feature-in-ext4/
Aditya Basu
PhD Student
The Pennsylvania State University
https://www.adityabasu.me/
