From rcmova at gmail.com Wed Jul 18 16:02:15 2012 From: rcmova at gmail.com (Roberto Carlos Morano) Date: Wed, 18 Jul 2012 16:02:15 +0200 Subject: [mpm-itk] Is "mpm-itk.sesse.net" permanently shutdown? Message-ID: Hello, I'm new to the project and I wanted to know about the status of the project, but I'm not able to visit the homepage so I was wondering if the site/project is shutdown or it is just on summer holidays :] Thanks in advance. Kind regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Wed Jul 18 16:05:39 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 18 Jul 2012 16:05:39 +0200 Subject: [mpm-itk] Is "mpm-itk.sesse.net" permanently shutdown? In-Reply-To: References: Message-ID: <20120718140539.GH19926@samfundet.no> On Wed, Jul 18, 2012 at 04:02:15PM +0200, Roberto Carlos Morano wrote: > I'm new to the project and I wanted to know about the status of the > project, but I'm not able to visit the homepage so I was wondering if the > site/project is shutdown or it is just on summer holidays :] Hi, Unfortunately the server hosting the site has had huge problems with dying disks and other hardware. It was up for a short time a day or two ago, but it's hit new snags. I'm working on it, but as I don't have physical access to the server and some of these things are genuinely hard, it's bound to take some more time :-/ /* Steinar */ -- Homepage: http://www.sesse.net/ From rcmova at gmail.com Wed Jul 18 16:10:41 2012 From: rcmova at gmail.com (Roberto Carlos Morano) Date: Wed, 18 Jul 2012 16:10:41 +0200 Subject: [mpm-itk] Is "mpm-itk.sesse.net" permanently shutdown? In-Reply-To: <20120718140539.GH19926@samfundet.no> References: <20120718140539.GH19926@samfundet.no> Message-ID: 2012/7/18 Steinar H. Gunderson > On Wed, Jul 18, 2012 at 04:02:15PM +0200, Roberto Carlos Morano wrote: > [...] > > Hi, > > Unfortunately the server hosting the site has had huge problems with dying > disks and other hardware. It was up for a short time a day or two ago, but > it's hit new snags. I'm working on it, but as I don't have physical access > to the server and some of these things are genuinely hard, it's bound to > take > some more time :-/ > Nice to know that the project is still alive and that it's only a temporarily issue. Gluck on that :] Many thanks for your prompt reply Steinar, and of course, for your work and effort into the module. I hope I can contribute somehow in the future. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Wed Jul 18 22:01:24 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 18 Jul 2012 22:01:24 +0200 Subject: [mpm-itk] Is "mpm-itk.sesse.net" permanently shutdown? In-Reply-To: <20120718140539.GH19926@samfundet.no> References: <20120718140539.GH19926@samfundet.no> Message-ID: <20120718200124.GJ19926@samfundet.no> On Wed, Jul 18, 2012 at 04:05:39PM +0200, Steinar H. Gunderson wrote: > Unfortunately the server hosting the site has had huge problems with dying > disks and other hardware. It was up for a short time a day or two ago, but > it's hit new snags. I'm working on it, but as I don't have physical access > to the server and some of these things are genuinely hard, it's bound to take > some more time :-/ It's up again. I still have a controller to swap and some more stuff, but that will be a few more days. /* Steinar */ -- Homepage: http://www.sesse.net/ From rcmova at gmail.com Wed Jul 18 22:31:59 2012 From: rcmova at gmail.com (Roberto Carlos Morano) Date: Wed, 18 Jul 2012 22:31:59 +0200 Subject: [mpm-itk] Is "mpm-itk.sesse.net" permanently shutdown? In-Reply-To: <20120718200124.GJ19926@samfundet.no> References: <20120718140539.GH19926@samfundet.no> <20120718200124.GJ19926@samfundet.no> Message-ID: 2012/7/18 Steinar H. Gunderson > On Wed, Jul 18, 2012 at 04:05:39PM +0200, Steinar H. Gunderson wrote: > > Unfortunately the server hosting the site has had huge problems with > dying > > disks and other hardware. It was up for a short time a day or two ago, > but > > it's hit new snags. I'm working on it, but as I don't have physical > access > > to the server and some of these things are genuinely hard, it's bound to > take > > some more time :-/ > > It's up again. I still have a controller to swap and some more stuff, but > that will be a few more days. > Thanks Steinar :] > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stant at bestyle.ru Wed Jul 18 17:30:43 2012 From: stant at bestyle.ru (Anton Statutov) Date: Wed, 18 Jul 2012 19:30:43 +0400 Subject: [mpm-itk] Random '403 Forbidden' errors, part II In-Reply-To: References: <20120718140539.GH19926@samfundet.no> Message-ID: <5006D6A3.2070506@bestyle.ru> Hi, I've been using mpm-itk on our corporative server where we have a few virtual servers owned by different users. A coupe of months ago we've noticed that some of our websites were discarded by the Yandex search engine. According to the httpd logs their bot was randomly getting 403 (Forbidden) error on website access. The problem was reproduced with two GET requests to the hosts owned by different users in one HTTP 'keep-alive' session. The strange thing was that the similar problem was fixed in the latest mpm-itk release, which was already used on our server. As it turned outthe fix didn't work because users haven't any access to each other home directories, so Apache generates 403 error earlier in the code before the fix. I believe it's related to the FollowSymLinks option with its directory walking routine. So I simply added similar fix into corresponding code and the problem was gone. I'm already using it for about month on our server and no other problems were noticed, all the sites successfully returned to the Yandex search. Please, see the attached patch. -------------- next part -------------- --- request.c.orig 2012-06-20 11:30:49.000000000 +0400 +++ request.c 2012-06-19 23:34:59.000000000 +0400 @@ -50,6 +50,7 @@ #include "util_filter.h" #include "util_charset.h" #include "util_script.h" +#include "mpm.h" #include "mod_core.h" @@ -1026,6 +1027,15 @@ break; } else if (APR_STATUS_IS_EACCES(rv)) { +#ifdef ITK_MPM + if (r->main == NULL && getuid() != 0) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, + "Access to %s denied, closing connection.", + r->filename); + ap_lingering_close(r->connection); + exit(0); + } +#endif ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "access to %s denied", r->uri); return r->status = HTTP_FORBIDDEN; From sgunderson at bigfoot.com Thu Jul 19 15:14:00 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 19 Jul 2012 15:14:00 +0200 Subject: [mpm-itk] mpm-itk and mod_qos not working together (with fix) In-Reply-To: <1656167.1es7iRBUP7@burdell> References: <1656167.1es7iRBUP7@burdell> Message-ID: <20120719131400.GA20672@samfundet.no> On Fri, May 04, 2012 at 07:33:12PM +0200, Daniele Orlandi wrote: > I found that the problem is in mpm-itk which is not explicitly releasing his > memory pool in the forked child before calling exit(0); This would be okay on > a memory management point of view, mod_qos however installs a callback on pool > release and expects it to be called in order to do his housekeeping. > > I seem to have fixed the issue by adding: > > + if (pchild) { > + apr_pool_destroy(pchild); > + } I had another look at this; maybe the right thing to do is to call clean_child_exit() instead of just exit()? clean_child_exit() destroys the pchild pool, and also does some other minor housekeeping. It's an open question what to do with the _other_ places we call exit() (when we fail on reading .htaccess); I presume we'll leak there as well? /* Steinar */ -- Homepage: http://www.sesse.net/ From sgunderson at bigfoot.com Thu Jul 19 15:17:02 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 19 Jul 2012 15:17:02 +0200 Subject: [mpm-itk] Random '403 Forbidden' errors, part II In-Reply-To: <5006D6A3.2070506@bestyle.ru> References: <20120718140539.GH19926@samfundet.no> <5006D6A3.2070506@bestyle.ru> Message-ID: <20120719131702.GB20672@samfundet.no> On Wed, Jul 18, 2012 at 07:30:43PM +0400, Anton Statutov wrote: > The strange thing was that the similar problem was fixed in the latest > mpm-itk release, which was already used on our server. As it turned outthe > fix didn't work because users haven't any access to each other home > directories, so Apache generates 403 error earlier in the code before the > fix. I believe it's related to the FollowSymLinks option with its directory > walking routine. So I simply added similar fix into corresponding code and > the problem was gone. Hi, This looks reasonable; thanks for the patch. /* Steinar */ -- Homepage: http://www.sesse.net/ From sgunderson at bigfoot.com Fri Jul 20 23:04:37 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 20 Jul 2012 23:04:37 +0200 Subject: [mpm-itk] New release for 2.4 Message-ID: <20120720210437.GD2227@samfundet.no> Hi, In the midst of everything, I've found some energy to play around with the a new release for 2.4.2. It contains an exciting new feature that will hopefully add some dynamism that previously required extra patches, as well as some bugfixes that should hopefully go into the 2.2 series soon. >From the changelog: apache2.4-mpm-itk 2.4.2-01, released 2012-07-20: - The patch is now against Apache 2.4.2 instead of Apache 2.4.1. Note that even though the patch set will probably _apply_ to 2.4.1, it will not _work_ properly, due to a missing bugfix that is no longer in the patch set. - Support dynamic uid and gid selection through Apache 2.4's new generic expression syntax. For instance, you can now use mod_rewrite to do something like this: RewriteEngine on RewriteRule /~([a-z]+)/ - [E=ITKUID:$1] AssignUserIDExpr %{reqenv:ITKUID} which will cause e.g. /~sesse/foo to be run as the user ?sesse?. Obviously, you will need to exercise caution here to avoid opening up new security holes. - Fix another case where we should drop the connection instead of returning 403; this time related to FollowSymLinks and directory traversal. Bug report and patch by Anton Statutov. - We now do clean_child_exit() instead of exit() after the request; this runs pool cleanup hooks, fixing an issue with mod_qos (reported by Daniele Orlandi). Note that this does not work properly in the case where we hard-close connections due to uid switch, so the fix is incomplete. - Fixed a typo in a comment in itk.c, and removed some stray trailing whitespace. - Added CHANGES file for the 2.4 series. The patch can be downloaded from http://mpm-itk.sesse.net/ (which has been moved to secondary hosting as my own server keeps having hardware problems) as usual. /* Steinar */ -- Homepage: http://www.sesse.net/