Bug 1195465 - update to lighttpd-1.4.64-bp153.2.3.1.x86_64 breaks userdir public_html
update to lighttpd-1.4.64-bp153.2.3.1.x86_64 breaks userdir public_html
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
x86-64 openSUSE Leap 15.3
: P5 - None : Normal (vote)
: ---
Assigned To: Andreas Stieger
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-02 20:34 UTC by Dirk Weber
Modified: 2022-02-07 08:17 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Weber 2022-02-02 20:34:10 UTC
After todays maintenance Update to 
lighttpd-1.4.64-bp153.2.3.1.x86_64.rpm
userdirs (public_html) are no longer accessible via lighttpd.

Urls in the style
http://localhost/~user/ 
now result in an error message (404).

The problem seems to be caused by the hardening settings in the new
/usr/lib/systemd/system/lighttpd.service
file.

It now contains additionally:

# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions 


Creating a 
/etc/systemd/system/lighttpd.service
without these settings - this means to fall back to the old services file -
 and disable/enable the service in order to update the links and restart it restores the functionality.

With just disabling 
ProtectHome=true
and keep the other hardening settings active the
http://localhost/~user/ 
access also works.

So ProtectHome=true seems to be the culprit in this case.
Comment 1 Dirk Weber 2022-02-02 21:52:43 UTC
After checking options for ProtectHome on 
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
I found read access to the home directories public_html is also working with:
ProtectHome=read-only
Maybe this is a better setting for lighttpd than to drop it completely.

Just as cross-reference: added this bug to bug 1181400 and set to security as these hardening seems to be added automatically.

BTW: I also already observed this problem on Tumbleweed for some weeks but did not have time to track it down. I suspected it was caused by a change in lighttpd's configuration files and failed to get it to work by just modifying those and incorparate the changes from the rpmnew files.
Comment 2 Johannes Segitz 2022-02-03 07:42:13 UTC
Yes, ProtectHome=read-only is a better setting. Thanks for reporting this here, I'll submit a fix
Comment 3 Marcus Meissner 2022-02-03 13:43:02 UTC
i think andreas submitted the maintenance update, cc
Comment 4 Andreas Stieger 2022-02-03 17:13:23 UTC
submitted to Tumbleweed and Leap
Comment 5 OBSbugzilla Bot 2022-02-03 17:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1195465) was mentioned in
https://build.opensuse.org/request/show/951357 Factory / lighttpd
https://build.opensuse.org/request/show/951358 Backports:SLE-15-SP3 / lighttpd
Comment 6 Swamp Workflow Management 2022-02-07 08:17:09 UTC
openSUSE-RU-2022:0029-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1195465
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    lighttpd-1.4.64-bp153.2.6.1