Re: Can't WebDAV with Apache2

Fri, 13 Mar 2026 15:11:16 -0700 

On Fri, Mar 13, 2026 at 21:26:04 +0100, Borden wrote:
> $ systemctl cat apache2
> ```
> # /usr/lib/systemd/system/apache2.service
...
> ProtectSystem=full
> RestrictNamespaces=yes
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
> SystemCallArchitectures=native
> ProtectProc=invisible
> ProcSubset=pid
> 
> ReadWritePaths=-/var/log/apache2
> ReadWritePaths=-/var/cache/apache2/mod_cache_disk
...

According to systemd.exec(5):

      ProtectSystem=
           Takes a boolean argument or the special values "full" or "strict".
           If true, mounts the /usr/ and the boot loader directories (/boot and
           /efi) read-only for processes invoked by this unit. If set to
           "full", the /etc/ directory is mounted read-only, too. If set to
           "strict" the entire file system hierarchy is mounted read-only,
           except for the API file system subtrees /dev/, /proc/ and /sys/

Therefore, the /usr, /boot, /efi and /etc directories should be read-only
for Apache.  The /var directory shouldn't be affected, as far as I can
see.

> Somewhat. We already know that Apache cannot write to /var/www/html/webdav ,
> so trying to put the DBLock file there won't work. The fix, not that I'm
> complaining, relocated the DBLock file to a directory where Apache can write,
> but it has yet to explain why /var/www/html/webdav *isn't* writeable.
> 
> But I think we established that Apache *can* write to some directories (like
> /var/log/apache2/). Just not that one.

If the restriction is coming from systemd, then the fact /var/log/apache2
is writable comes from

ReadWritePaths=-/var/log/apache2

The man page says:

           Use
           ReadWritePaths= in order to allow-list specific paths for write
           access if ProtectSystem=strict is used.

If your systemd unit had ProtectSystem=strict then we would have the
answer already.  Since you have ProtectSystem=full I don't know what
the whole picture is.  It seems to be acting as if you had =strict.

> > ls -ld /var/www/html/webdav
> drwxrwxrwx 1 www-data www-data 38 Mar 13 16:07 /var/www/html/webdav

Just for the record: is /var a plain old directory?  Are /var/www and
/var/www/html and /var/www/html/webdav all plain old directories?  No
symbolic links, no weird mounts?

Reply via email to