From greminn at gmail.com Thu Feb 23 01:06:07 2012 From: greminn at gmail.com (Simon) Date: Thu, 23 Feb 2012 13:06:07 +1300 Subject: [mpm-itk] mpm-itk and PHP config Message-ID: <9A9A1CD7-B7B3-4C04-838E-17E1107A42C7@gmail.com> Hi There, Im wondering if someone would be able to please point me in the correct direction here? We have a test server running debian squeeze and apache mpm-itk. Its all runninng nice with each vhost setup under their own user/group. The problem is: we need to allow some vhosts to use a restricted list of binary commands.. "html2ps" for example. I had setup a /www/example.com/bin directory for each vhost and copied the binaries into it.. and then used safe_mode_exec_dir to restrict the vhost to only run those binaries... But i cant find a way to restrict the binary applications to only files within /www/example.com/ or /www/example.com/htdocs/ e.g. if zip was a binary command in /www/example.com/bin, the user can still run this in PHP: exec("/www/example.com/bin/zip /www/example.com/htdocs/newfile.zip /path/to/another/file.txt"); Im going a bit batty here and i think I'm on the wrong path altogether!!! So any assistance or pointers would be much appreciated! Thanks! Simon From sgunderson at bigfoot.com Thu Feb 23 01:34:59 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 23 Feb 2012 01:34:59 +0100 Subject: [mpm-itk] mpm-itk and PHP config In-Reply-To: <9A9A1CD7-B7B3-4C04-838E-17E1107A42C7@gmail.com> References: <9A9A1CD7-B7B3-4C04-838E-17E1107A42C7@gmail.com> Message-ID: <20120223003459.GA13574@uio.no> On Thu, Feb 23, 2012 at 01:06:07PM +1300, Simon wrote: > We have a test server running debian squeeze and apache mpm-itk. Its all > runninng nice with each vhost setup under their own user/group. The problem > is: we need to allow some vhosts to use a restricted list of binary > commands.. "html2ps" for example. I had setup a /www/example.com/bin > directory for each vhost and copied the binaries into it.. and then used > safe_mode_exec_dir to restrict the vhost to only run those binaries... But > i cant find a way to restrict the binary applications to only files within > /www/example.com/ or /www/example.com/htdocs/ Hi, Your question has nothing to do with mpm-itk. You should probably direct it towards a PHP user list. /* Steinar */ -- Homepage: http://www.sesse.net/ From garybrooks at cloudaccess.net Thu Feb 23 19:21:36 2012 From: garybrooks at cloudaccess.net (Gary Brooks) Date: Thu, 23 Feb 2012 13:21:36 -0500 Subject: [mpm-itk] mpm-itk and PHP config In-Reply-To: <20120223003459.GA13574@uio.no> References: <9A9A1CD7-B7B3-4C04-838E-17E1107A42C7@gmail.com> <20120223003459.GA13574@uio.no> Message-ID: You should try cloudlinux this will solve your problems. *Gary Brooks *garybrooks at cloudaccess.net *Phone: * +1-231-421-7160 Ext: 7161 Direct Office: +1-231-421-7161 ***Skype id: *garyjaybrooks2000 *Fax: * 313-899-7032 *Web: * http://www.cloudaccess.net *Address:* 10850 Traverse Hwy, Suite 4480 | Traverse City, Michigan 49684 On Wed, Feb 22, 2012 at 7:34 PM, Steinar H. Gunderson < sgunderson at bigfoot.com> wrote: > On Thu, Feb 23, 2012 at 01:06:07PM +1300, Simon wrote: > > We have a test server running debian squeeze and apache mpm-itk. Its all > > runninng nice with each vhost setup under their own user/group. The > problem > > is: we need to allow some vhosts to use a restricted list of binary > > commands.. "html2ps" for example. I had setup a /www/example.com/bin > > directory for each vhost and copied the binaries into it.. and then used > > safe_mode_exec_dir to restrict the vhost to only run those binaries... > But > > i cant find a way to restrict the binary applications to only files > within > > /www/example.com/ or /www/example.com/htdocs/ > > Hi, > > Your question has nothing to do with mpm-itk. You should probably direct it > towards a PHP user list. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From canevet at embl.fr Tue Feb 28 14:54:10 2012 From: canevet at embl.fr (=?ISO-8859-1?Q?Micka=EBl_CAN=C9VET?=) Date: Tue, 28 Feb 2012 13:54:10 +0000 Subject: [mpm-itk] Fork as REMOTE_USER instead of static user Message-ID: <1330437250.14531.21.camel@pc437.embl.fr> Hi, Would it be possible to fork as REMOTE_USER instead of statically defined user ? The idea is to export a filesystem through HTTP (Dav), and instead of giving apache's user read/write access on the files and play with .htaccess for each folder, let apache fork as the authenticated user so that I can use POSIX rights to give access. Thanks a lot Micka?l -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgunderson at bigfoot.com Tue Feb 28 15:41:50 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 28 Feb 2012 15:41:50 +0100 Subject: [mpm-itk] Fork as REMOTE_USER instead of static user In-Reply-To: <1330437250.14531.21.camel@pc437.embl.fr> References: <1330437250.14531.21.camel@pc437.embl.fr> Message-ID: <20120228144150.GA29341@uio.no> On Tue, Feb 28, 2012 at 01:54:10PM +0000, Micka?l CAN?VET wrote: > Would it be possible to fork as REMOTE_USER instead of statically > defined user ? Hi, Currently mpm-itk has no such support. We've discussed similar extensions in the past (including fetching the user from the URL), but it's not entirely clear how to make it generic enough without adding a lot of special cases. You could possibly try to use a mod_perl hook to add an AssignUserID, but I've never tried this. /* Steinar */ -- Homepage: http://www.sesse.net/ From sgunderson at bigfoot.com Tue Feb 28 15:54:44 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 28 Feb 2012 15:54:44 +0100 Subject: [mpm-itk] Fork as REMOTE_USER instead of static user In-Reply-To: <1330440431.14531.24.camel@pc437.embl.fr> References: <1330437250.14531.21.camel@pc437.embl.fr> <20120228144150.GA29341@uio.no> <1330440431.14531.24.camel@pc437.embl.fr> Message-ID: <20120228145443.GB29341@uio.no> On Tue, Feb 28, 2012 at 02:47:11PM +0000, Micka?l CAN?VET wrote: > Would it be hard to take into account just basic http authentication > (not cookie base authentication) ? Yes and no. This is basically ?but _my_ use case is very important!?, and then you end up with adding twenty different knobs for twenty different use cases. :-) In addition, you'd have to complete the HTTP authentication before setuid(), for one, which could potentially involve a _lot_ of code if you have a complex NSS setup, so the attack surface increases. In short, I don't think this will happen until someone sits down and figures out a relatively generic way of extending the current scheme. You could of course code it up for yourself, but I'm going to have a very hard look at such a patch before I included it into mpm-itk mainline. /* Steinar */ -- Homepage: http://www.sesse.net/ From canevet at embl.fr Tue Feb 28 15:47:11 2012 From: canevet at embl.fr (=?ISO-8859-1?Q?Micka=EBl_CAN=C9VET?=) Date: Tue, 28 Feb 2012 14:47:11 +0000 Subject: [mpm-itk] Fork as REMOTE_USER instead of static user In-Reply-To: <20120228144150.GA29341@uio.no> References: <1330437250.14531.21.camel@pc437.embl.fr> <20120228144150.GA29341@uio.no> Message-ID: <1330440431.14531.24.camel@pc437.embl.fr> Hi, Would it be hard to take into account just basic http authentication (not cookie base authentication) ? On Tue, 2012-02-28 at 15:41 +0100, Steinar H. Gunderson wrote: > On Tue, Feb 28, 2012 at 01:54:10PM +0000, Micka?l CAN?VET wrote: > > Would it be possible to fork as REMOTE_USER instead of statically > > defined user ? > > Hi, > > Currently mpm-itk has no such support. We've discussed similar extensions in > the past (including fetching the user from the URL), but it's not entirely > clear how to make it generic enough without adding a lot of special cases. > > You could possibly try to use a mod_perl hook to add an AssignUserID, > but I've never tried this. > > /* Steinar */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From michael at orlitzky.com Tue Feb 28 16:25:50 2012 From: michael at orlitzky.com (Michael Orlitzky) Date: Tue, 28 Feb 2012 10:25:50 -0500 Subject: [mpm-itk] Apache 2.4 series release Message-ID: <4F4CF1FE.10508@orlitzky.com> Are there any plans to release a patch based on the latest 2.4(.1)? I tried the dumb thing already: rearranging the code patches so that they apply cleanly and hacking the build system manually. I get build failures but haven't looked too closely. I could also work with distro maintainers to update their patches and send them back upstream. My reason for wanting a version bump so soon: I would like the first 2.4.x release on Gentoo to ship with mpm-itk, so that the unstable users can iron out any bugs before we go stable. I'm worried that if 2.4.x gets added to the tree without mpm-itk, we could either lose itk users (fewer testers) or it could be a headache getting the patch re-added. From sgunderson at bigfoot.com Tue Feb 28 17:13:06 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 28 Feb 2012 17:13:06 +0100 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <4F4CF1FE.10508@orlitzky.com> References: <4F4CF1FE.10508@orlitzky.com> Message-ID: <20120228161306.GC29341@uio.no> On Tue, Feb 28, 2012 at 10:25:50AM -0500, Michael Orlitzky wrote: > Are there any plans to release a patch based on the latest 2.4(.1)? Yes, this is planned (and 2.0 support will be removed at the same time). I haven't gotten around to it, though. /* Steinar */ -- Homepage: http://www.sesse.net/ From michael at orlitzky.com Tue Feb 28 18:07:09 2012 From: michael at orlitzky.com (Michael Orlitzky) Date: Tue, 28 Feb 2012 12:07:09 -0500 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <20120228161306.GC29341@uio.no> References: <4F4CF1FE.10508@orlitzky.com> <20120228161306.GC29341@uio.no> Message-ID: <4F4D09BD.7070503@orlitzky.com> On 02/28/12 11:13, Steinar H. Gunderson wrote: > On Tue, Feb 28, 2012 at 10:25:50AM -0500, Michael Orlitzky wrote: >> Are there any plans to release a patch based on the latest 2.4(.1)? > > Yes, this is planned (and 2.0 support will be removed at the same time). > I haven't gotten around to it, though. No problem, I just wanted to check before duplicating the effort. Please ping the list if you need any help testing. From mahatma at bspu.unibel.by Wed Feb 29 11:58:08 2012 From: mahatma at bspu.unibel.by (Dzianis Kahanovich) Date: Wed, 29 Feb 2012 13:58:08 +0300 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <4F4CF1FE.10508@orlitzky.com> References: <4F4CF1FE.10508@orlitzky.com> Message-ID: <4F4E04C0.2020903@bspu.unibel.by> Michael Orlitzky ?????: > Are there any plans to release a patch based on the latest 2.4(.1)? > > I tried the dumb thing already: rearranging the code patches so that > they apply cleanly and hacking the build system manually. I get build > failures but haven't looked too closely. > > I could also work with distro maintainers to update their patches and > send them back upstream. My reason for wanting a version bump so soon: I > would like the first 2.4.x release on Gentoo to ship with mpm-itk, so > that the unstable users can iron out any bugs before we go stable. I'm > worried that if 2.4.x gets added to the tree without mpm-itk, we could > either lose itk users (fewer testers) or it could be a headache getting > the patch re-added. http://mahatma.bspu.unibel.by/download/experimental/apache2.4-mpm-itk-2.4.1-01.patch - first - run as bash script in apache's dir, second - apply as patch. This patch not include my experimental features, just re-apply of original mpm-itk. This is unofficial - ask Steinar for this. PS Sorry for fast re-bump of 2.3.15 (direct patch editing in 2 places), but IMHO there are not crime. -- WBR, Dzianis Kahanovich AKA Denis Kaganovich, http://mahatma.bspu.unibel.by/ From azurit at pobox.sk Wed Feb 29 12:42:11 2012 From: azurit at pobox.sk (azurIt) Date: Wed, 29 Feb 2012 12:42:11 +0100 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <4F4E04C0.2020903@bspu.unibel.by> References: <4F4CF1FE.10508@orlitzky.com> <4F4E04C0.2020903@bspu.unibel.by> Message-ID: <20120229124211.608964CD@pobox.sk> Hi, could you, please, describe also other patches on that URL? thnx. azur ______________________________________________________________ > Od: "Dzianis Kahanovich" > Komu: Michael Orlitzky > D?tum: 29.02.2012 11:49 > Predmet: Re: [mpm-itk] Apache 2.4 series release > > CC: mpm-itk at err.no >Michael Orlitzky ?????: >> Are there any plans to release a patch based on the latest 2.4(.1)? >> >> I tried the dumb thing already: rearranging the code patches so that >> they apply cleanly and hacking the build system manually. I get build >> failures but haven't looked too closely. >> >> I could also work with distro maintainers to update their patches and >> send them back upstream. My reason for wanting a version bump so soon: I >> would like the first 2.4.x release on Gentoo to ship with mpm-itk, so >> that the unstable users can iron out any bugs before we go stable. I'm >> worried that if 2.4.x gets added to the tree without mpm-itk, we could >> either lose itk users (fewer testers) or it could be a headache getting >> the patch re-added. > >http://mahatma.bspu.unibel.by/download/experimental/apache2.4-mpm-itk-2.4.1-01.patch >- first - run as bash script in apache's dir, second - apply as patch. >This patch not include my experimental features, just re-apply of original mpm-itk. > >This is unofficial - ask Steinar for this. > >PS Sorry for fast re-bump of 2.3.15 (direct patch editing in 2 places), but IMHO >there are not crime. > >-- >WBR, Dzianis Kahanovich AKA Denis Kaganovich, http://mahatma.bspu.unibel.by/ > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From mahatma at bspu.unibel.by Wed Feb 29 18:59:31 2012 From: mahatma at bspu.unibel.by (Dzianis Kahanovich) Date: Wed, 29 Feb 2012 20:59:31 +0300 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <20120229124211.608964CD@pobox.sk> References: <4F4CF1FE.10508@orlitzky.com> <4F4E04C0.2020903@bspu.unibel.by> <20120229124211.608964CD@pobox.sk> Message-ID: <4F4E6783.30609@bspu.unibel.by> azurIt ?????: > could you, please, describe also other patches on that URL? thnx. ... >> http://mahatma.bspu.unibel.by/download/experimental/apache2.4-mpm-itk-2.4.1-01.patch ... /experimental/ ? or all /download/ ? ;) *itk-cgroups* - add cgroups support for mpm-itk (just write PID into tasks), described inside. *itk-clone* - use clone() vs. fork() - make possible some clone() benefits, including LXC isolations, but isolations still experimental here - LXC still impossible to join to existing namespace and every namespace will unique and I think, too many isolated namespaces make slow down kernel. Need to test. Now it only useful to CLONE_VFORK mode (after forking, parent process still inactive) - it MAY be better to reduce number of active task, but really I see no benefits (it MAY be in too busy system). IMHO CLONE_VFORK must be changed in kernel to disable process rescheduling for CLONE_VFORK to real benefits (there are low reason to change CPU resources if old process is stalled, but low reason exists - NUMA, etc). Half of patch may be deleted in production (second clone() - child_main()) - to reduce code changes, it just experimental (but sure working on my servers). Also I have ready chroot() for every process, but I lazy to test while it before publish. But all 3 patches can make possible complete LXC support. If somebody interesting - I can test chroot() & prepare it all. Even I can prepare cumulative patch for complete mpm-itk + this, but it will be harder to support, etc. PS If you REALLY interesting about other patches in /download/ - ask, I will try to describe it in same URL - it is not mpm-itk subject... -- WBR, Dzianis Kahanovich AKA Denis Kaganovich, http://mahatma.bspu.unibel.by/