From mailinglists at xgm.de Fri Jul 16 19:02:27 2010 From: mailinglists at xgm.de (Florian Lindner) Date: Fri, 16 Jul 2010 19:02:27 +0200 Subject: [mpm-itk] User ID for logfiles Message-ID: <201007161902.27607.mailinglists@xgm.de> Hello, I'm running apache with mpm_itk from debian lenny. Though I've set AssignUserID the created log files (access.log and error.log) are created as user root. Could this indicate a problem or should it be like that? Thanks, Florian From azurit at pobox.sk Fri Jul 16 19:50:15 2010 From: azurit at pobox.sk (azurIt) Date: Fri, 16 Jul 2010 19:50:15 +0200 Subject: [mpm-itk] User ID for logfiles Message-ID: Hi, this is completely ok, log files are created on Apache startup. azur >-----P?vodn? spr?va----- >Od: Florian Lindner [mailto:mailinglists at xgm.de] >Komu: mpm-itk at lists.err.no >Predmet: [mpm-itk] User ID for logfiles > > >Hello, > >I'm running apache with mpm_itk from debian lenny. Though I've set >AssignUserID the created log files (access.log and error.log) are created as >user root. Could this indicate a problem or should it be like that? > > >Thanks, > >Florian > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk From marijn at e-active.nl Fri Jul 23 16:49:49 2010 From: marijn at e-active.nl (Marijn Otte) Date: Fri, 23 Jul 2010 16:49:49 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian Message-ID: Hello, Last year I posted about this problem: http://lists.err.no/pipermail/mpm-itk/2009-August/000161.html The problem does not occur with de Debian package apache2-mpm-itk 2.2.6-02-1+lenny2. The lenny3 version is available at this moment, but until now I don't dare to install it, because I will have immediate problems with our clients if it introduces the bug. A number of months ago we installed the ITK version from Debian stable. We tried to use Steinar's suggestion "making your .htaccess files globally readable". It turned out that we had to give the whole directory structure of every document root an everyone chmod +x, not only the root directory. As you will understand it is not manageable to do this with every new created directory. Another problem is that we have to give all files in the directory an everyone chmod -r, otherwise the files can be read by any user on the server. I have two questions about this: - In the changelog http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.11-02/CHANGES there is something mentioned about "Add CAP_DAC_READ_SEARCH to the list of capabilities, so Apache can read .htaccess files that are not world readable.". Is this the solution for my problem? It that case this should mean this update is not provided to Debian? - If not another solution for our problem, such as de possibility to disable the uid/gid per directory feature by httpd.conf, would be great. Will this, or some other fix for this bug become available in the future? Thanks. Kind regards, Marijn Otte From knut at auvor.no Fri Jul 23 18:20:27 2010 From: knut at auvor.no (Knut Auvor Grythe) Date: Fri, 23 Jul 2010 18:20:27 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian In-Reply-To: References: Message-ID: <20100723162027.GU17040@stud.ntnu.no> On Fri, Jul 23, 2010 at 04:49:49PM +0200, Marijn Otte wrote: > Hello, > Last year I posted about this problem: > http://lists.err.no/pipermail/mpm-itk/2009-August/000161.html > The problem does not occur with de Debian package apache2-mpm-itk > 2.2.6-02-1+lenny2. The lenny3 version is available at this moment, but > until now I don't dare to install it, because I will have immediate > problems with our clients if it introduces the bug. It will not, as the bug was introduced in 2.2.11-01, and debian does not backport features. The lenny3 version is probably a rebuild due to an unrelated apache bug. > A number of months ago we installed the ITK version from Debian stable. > We tried to use Steinar's suggestion "making your .htaccess files > globally readable". It turned out that we had to give the whole > directory structure of every document root an everyone chmod +x, not > only the root directory. As you will understand it is not manageable to > do this with every new created directory. Another problem is that we > have to give all files in the directory an everyone chmod -r, otherwise > the files can be read by any user on the server. This can be solved by setting a suitable umask. Then the permissions would be correct from the beginning. > I have two questions about this: > - In the changelog > http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.11-02/CHANGES there is > something mentioned about "Add CAP_DAC_READ_SEARCH to the list of > capabilities, so Apache can read .htaccess files that are not world > readable.". Is this the solution for my problem? It that case this > should mean this update is not provided to Debian? It probably helps a bit, but I don't think it solves it completely. It helps before the first UID change, but not after the process has changed to a non-privileged user. > - If not another solution for our problem, such as de possibility to > disable the uid/gid per directory feature by httpd.conf, would be great. This has been considered, but it would really be preferable to just make it work. Having a setting for this would make the internals very messy, and it would probably break something else. > Will this, or some other fix for this bug become available in the > future? See this comment: http://lists.err.no/pipermail/mpm-itk/2010-June/000304.html -- Knut Auvor From sgunderson at bigfoot.com Fri Jul 23 18:26:11 2010 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 23 Jul 2010 18:26:11 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian In-Reply-To: <20100723162027.GU17040@stud.ntnu.no> References: <20100723162027.GU17040@stud.ntnu.no> Message-ID: <20100723162611.GB2008@uio.no> On Fri, Jul 23, 2010 at 06:20:27PM +0200, Knut Auvor Grythe wrote: >> Last year I posted about this problem: >> http://lists.err.no/pipermail/mpm-itk/2009-August/000161.html >> The problem does not occur with de Debian package apache2-mpm-itk >> 2.2.6-02-1+lenny2. The lenny3 version is available at this moment, but >> until now I don't dare to install it, because I will have immediate >> problems with our clients if it introduces the bug. > It will not, as the bug was introduced in 2.2.11-01, and debian does not > backport features. The lenny3 version is probably a rebuild due to an > unrelated apache bug. Actually it's a fix for an mpm-itk specific bug, related to restart problems. It is not related to this specific bug, though. >> - If not another solution for our problem, such as de possibility to >> disable the uid/gid per directory feature by httpd.conf, would be great. > This has been considered, but it would really be preferable to just make > it work. Having a setting for this would make the internals very messy, > and it would probably break something else. I reiterate that the best mpm-itk fix would probably be to make ?cannot read .htaccess after uid switch? behave identically as ?cannot setuid after uid switch?, ie. close the HTTP connection straight. I have no idea how easy it is to do, though. Of course, the _right_ fix is to fix whatever causes these uid switches in the first place. No fix on the mpm-itk side is going to change that killing the mpm-itk child (by changing uid on the HTTP connection) has a non-negligible performance cost. /* Steinar */ -- Homepage: http://www.sesse.net/ From marijn at e-active.nl Mon Jul 26 10:37:03 2010 From: marijn at e-active.nl (Marijn Otte) Date: Mon, 26 Jul 2010 10:37:03 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian References: <20100723162027.GU17040@stud.ntnu.no> <20100723162611.GB2008@uio.no> Message-ID: On Fri, Jul 23, 2010 at 06:26:27PM +0200, Knut Steinar H. Gunderson wrote: > Of course, the _right_ fix is to fix whatever causes these uid switches in the first place. What happens is that a proxy server uses the same connection for requests on multiple vhosts, because behind the proxy 2 users are accessing two different websites on the same server, at the same time. I think there is nothing wrong with that? As I understand it's unsure if and when the problem will be fixed. I really hope this problem will be fixed, because in my opinion ITK is the only application independent and good working per user solution. As it works great on our production environment, for us it's not the "experimental software" as it is called on the website. I hope we can keep that in the future :). Kind regards, Marijn Otte -----Oorspronkelijk bericht----- Van: mpm-itk-bounces at err.no [mailto:mpm-itk-bounces at err.no] Namens Steinar H. Gunderson Verzonden: vrijdag 23 juli 2010 18:26 Aan: mpm-itk at err.no CC: Marijn Otte Onderwerp: Re: [mpm-itk] Switching vhosts during the same connection in Debian On Fri, Jul 23, 2010 at 06:20:27PM +0200, Knut Auvor Grythe wrote: >> Last year I posted about this problem: >> http://lists.err.no/pipermail/mpm-itk/2009-August/000161.html >> The problem does not occur with de Debian package apache2-mpm-itk >> 2.2.6-02-1+lenny2. The lenny3 version is available at this moment, but >> until now I don't dare to install it, because I will have immediate >> problems with our clients if it introduces the bug. > It will not, as the bug was introduced in 2.2.11-01, and debian does not > backport features. The lenny3 version is probably a rebuild due to an > unrelated apache bug. Actually it's a fix for an mpm-itk specific bug, related to restart problems. It is not related to this specific bug, though. >> - If not another solution for our problem, such as de possibility to >> disable the uid/gid per directory feature by httpd.conf, would be great. > This has been considered, but it would really be preferable to just make > it work. Having a setting for this would make the internals very messy, > and it would probably break something else. I reiterate that the best mpm-itk fix would probably be to make ?cannot read .htaccess after uid switch? behave identically as ?cannot setuid after uid switch?, ie. close the HTTP connection straight. I have no idea how easy it is to do, though. Of course, the _right_ fix is to fix whatever causes these uid switches in the first place. No fix on the mpm-itk side is going to change that killing the mpm-itk child (by changing uid on the HTTP connection) has a non-negligible performance cost. /* Steinar */ -- Homepage: http://www.sesse.net/ _______________________________________________ mpm-itk mailing list mpm-itk at err.no http://lists.err.no/mailman/listinfo/mpm-itk From sgunderson at bigfoot.com Mon Jul 26 23:59:57 2010 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 26 Jul 2010 23:59:57 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian In-Reply-To: References: <20100723162027.GU17040@stud.ntnu.no> <20100723162611.GB2008@uio.no> Message-ID: <20100726215957.GA15270@uio.no> On Mon, Jul 26, 2010 at 10:37:03AM +0200, Marijn Otte wrote: >> Of course, the _right_ fix is to fix whatever causes these uid switches in >> the first place. > What happens is that a proxy server uses the same connection for requests > on multiple vhosts, because behind the proxy 2 users are accessing two > different websites on the same server, at the same time. I think there is > nothing wrong with that? It's fully legal as per the HTTP standards, but definitely not a good idea performance-wise. Ideally the proxy server should understand that it shouldn't reuse that connection for different vhosts (ie., you should be able to tell it so). Of course this is impossible to realize if you don't have control over the proxy server. /* Steinar */ -- Homepage: http://www.sesse.net/ From sgunderson at bigfoot.com Sat Jul 31 01:55:44 2010 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Sat, 31 Jul 2010 01:55:44 +0200 Subject: [mpm-itk] Switching vhosts during the same connection in Debian In-Reply-To: <20100723162611.GB2008@uio.no> References: <20100723162027.GU17040@stud.ntnu.no> <20100723162611.GB2008@uio.no> Message-ID: <20100730235544.GA25932@uio.no> On Fri, Jul 23, 2010 at 06:26:11PM +0200, Steinar H. Gunderson wrote: > I reiterate that the best mpm-itk fix would probably be to make ?cannot read > .htaccess after uid switch? behave identically as ?cannot setuid after uid > switch?, ie. close the HTTP connection straight. I have no idea how easy it > is to do, though. You can try this patch as a first approximation. The logging doesn't actually appear to work, it's pretty much untested, and probably needs some more sanity checking, but it just might help with your issue: --- a/server/config.c 2010-07-21 20:11:07.000000000 +0200 +++ b/server/config.c 2010-07-31 01:53:15.000000000 +0200 @@ -1840,6 +1867,15 @@ else { if (!APR_STATUS_IS_ENOENT(status) && !APR_STATUS_IS_ENOTDIR(status)) { +#ifdef ITK_MPM + if (getuid() != 0) { + ap_log_error(APLOG_MARK, APLOG_WARNING, status, r, + "Couldn't read %s, closing connection.", + filename); + ap_lingering_close(r->connection); + exit(0); + } +#endif ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r, "%s pcfg_openfile: unable to check htaccess file, " "ensure it is readable", /* Steinar */ -- Homepage: http://www.sesse.net/