From mahatma at bspu.unibel.by Fri Mar 2 19:35:50 2012 From: mahatma at bspu.unibel.by (Dzianis Kahanovich) Date: Fri, 02 Mar 2012 21:35:50 +0300 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <4F4E6783.30609@bspu.unibel.by> References: <4F4CF1FE.10508@orlitzky.com> <4F4E04C0.2020903@bspu.unibel.by> <20120229124211.608964CD@pobox.sk> <4F4E6783.30609@bspu.unibel.by> Message-ID: <4F511306.6090600@bspu.unibel.by> Dzianis Kahanovich ?????: > Also I have ready chroot() for every process, but I lazy to test while it before http://mahatma.bspu.unibel.by/download/experimental/23-itkc-chroot-2.4.patch - it may be (with re-comment 1 line) applied to 2.2, but read comments inside (and howto). For 2.3.15 works fine. I see no logic for this difference, but... PS Applied after itk-cgroups. -- WBR, Dzianis Kahanovich AKA Denis Kaganovich, http://mahatma.bspu.unibel.by/ From guilherme.e at gmail.com Mon Mar 5 19:35:24 2012 From: guilherme.e at gmail.com (Guilherme) Date: Mon, 5 Mar 2012 15:35:24 -0300 Subject: [mpm-itk] Malicious scripts holding apache port Message-ID: Hello, I changed from peruser MPM to itk MPM one month ago in 40 servers, and I've some problems related to itk implementation. I was trying to find out why some apache servers was unavailable and when I tried to start apache I got the following error: Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:8080 no listening sockets available, shutting down Unable to open logs [FAILED] [root at whl0015 ~]# fuser 8080/tcp 8080/tcp: 19990 [root at whl0015 ~]# ps aux | grep 19990 plghost 19990 0.0 0.1 6440 3832 ? S 14:58 0:00 /usr/sbin/apache3 -k start root 20013 0.0 0.0 4012 692 pts/0 R+ 14:59 0:00 grep 19990 "apache3 -k start" is a fake process, in perl, that was invoked through any php script (exec, system, etc.). http://pastebin.com/z8Fje4r7 - the original one is too big, so I created a small functional version These scripts does not finish in apache timeout, maybe because they change default signals action (INT, HUP, TERM, CHLD, PS) to IGNORE. The main purpose of these scripts is try to connect to external irc servers, probably to allow attackers to run commands in the servers, but when apache restarts (graceful or HUP) and these scripts are running and trying to open sockets to remote destinations, they hold apache port in LISTEN. [root at whl0015 ~]# netstat -ntpl | grep 19990 tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 19990/apache3 -k st [root at whl0015 ~]# kill -9 19990 [root at whl0015 ~]# /etc/init.d/httpd start Starting httpd: [ OK ] I replicated the problem in my test environment, and when I switch back to other MPM, like prefork or peruser the problem does not occur, so I think that is something related to itk implementation. Any idea? Regards, Guilherme -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Wed Mar 14 02:43:13 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 14 Mar 2012 02:43:13 +0100 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <20120228161306.GC29341@uio.no> References: <4F4CF1FE.10508@orlitzky.com> <20120228161306.GC29341@uio.no> Message-ID: <20120314014313.GB9169@uio.no> On Tue, Feb 28, 2012 at 05:13:06PM +0100, Steinar H. Gunderson wrote: >> Are there any plans to release a patch based on the latest 2.4(.1)? > Yes, this is planned (and 2.0 support will be removed at the same time). > I haven't gotten around to it, though. I took a first stab at it; it doesn't use any of the new functionality present in 2.4 (in particular, the support for complex expressions looks intriguing, and I guess we could try to hook in the same way mod_privileges does), and it's only very briefly tested, but it appears to work. (I used the patch previously posted here as reference at a couple of tricky spots, but apart from that it's made from the 2.2 patch set only.) Brave souls can have a look at http://mpm-itk.sesse.net/apache2.4-mpm-itk-2.4.1-pre00/ Any testing/feedback would be appreciated. :-) /* Steinar */ -- Homepage: http://www.sesse.net/ From michael at orlitzky.com Wed Mar 14 03:33:22 2012 From: michael at orlitzky.com (Michael Orlitzky) Date: Tue, 13 Mar 2012 22:33:22 -0400 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <20120314014313.GB9169@uio.no> References: <4F4CF1FE.10508@orlitzky.com> <20120228161306.GC29341@uio.no> <20120314014313.GB9169@uio.no> Message-ID: <4F600372.4040107@orlitzky.com> On 03/13/2012 09:43 PM, Steinar H. Gunderson wrote: > On Tue, Feb 28, 2012 at 05:13:06PM +0100, Steinar H. Gunderson wrote: >>> Are there any plans to release a patch based on the latest 2.4(.1)? >> Yes, this is planned (and 2.0 support will be removed at the same time). >> I haven't gotten around to it, though. > > I took a first stab at it; it doesn't use any of the new functionality > present in 2.4 (in particular, the support for complex expressions looks > intriguing, and I guess we could try to hook in the same way mod_privileges > does), and it's only very briefly tested, but it appears to work. > (I used the patch previously posted here as reference at a couple of tricky > spots, but apart from that it's made from the 2.2 patch set only.) > > Brave souls can have a look at > > http://mpm-itk.sesse.net/apache2.4-mpm-itk-2.4.1-pre00/ > > Any testing/feedback would be appreciated. :-) > Thanks, I'll see what I can do. From sgunderson at bigfoot.com Wed Mar 14 02:43:13 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 14 Mar 2012 02:43:13 +0100 Subject: [mpm-itk] Apache 2.4 series release In-Reply-To: <20120228161306.GC29341@uio.no> References: <4F4CF1FE.10508@orlitzky.com> <20120228161306.GC29341@uio.no> Message-ID: <20120314014313.GB9169@uio.no> On Tue, Feb 28, 2012 at 05:13:06PM +0100, Steinar H. Gunderson wrote: >> Are there any plans to release a patch based on the latest 2.4(.1)? > Yes, this is planned (and 2.0 support will be removed at the same time). > I haven't gotten around to it, though. I took a first stab at it; it doesn't use any of the new functionality present in 2.4 (in particular, the support for complex expressions looks intriguing, and I guess we could try to hook in the same way mod_privileges does), and it's only very briefly tested, but it appears to work. (I used the patch previously posted here as reference at a couple of tricky spots, but apart from that it's made from the 2.2 patch set only.) Brave souls can have a look at http://mpm-itk.sesse.net/apache2.4-mpm-itk-2.4.1-pre00/ Any testing/feedback would be appreciated. :-) /* Steinar */ -- Homepage: http://www.sesse.net/ From jeroen.ooms at stat.ucla.edu Mon Mar 12 22:44:28 2012 From: jeroen.ooms at stat.ucla.edu (Jeroen Ooms) Date: Mon, 12 Mar 2012 14:44:28 -0700 Subject: [mpm-itk] Operation not permitted errors on Ubuntu Message-ID: I am running libapache2-mod-itk that ships with Ubuntu Linux 11.10. It seems to work perfectly; when I visit my site and look at top or ps, I can see that the request is being pocessed by the user I defined. However,?I noticed that for every request I make to my itk-enabled site, these messages are logged in apache error.log: [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30902 uid=33, gid=33) itk_post_perdir_config(): setgid(998): Operation not permitted [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, closing connection. [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30905 uid=998, gid=998) itk_post_perdir_config(): setgid(33): Operation not permitted [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, closing connection. Where user '33' is Ubuntu's default uid for 'www-data' and uid 998 is the custom system user that I added to handle my itk-enabled site. Note that this is not the result of visiting multiple sites with a different uuid; This happens on every single request to my itk-enabled website. Do I need to give the www-data and my custom itk user some additional privileges to be able to setuid or something? From sgunderson at bigfoot.com Mon Mar 19 14:50:04 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 19 Mar 2012 14:50:04 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: Message-ID: <20120319135003.GA8239@uio.no> On Mon, Mar 12, 2012 at 02:44:28PM -0700, Jeroen Ooms wrote: > Where user '33' is Ubuntu's default uid for 'www-data' and uid 998 is > the custom system user that I added to handle my itk-enabled site. > Note that this is not the result of visiting multiple sites with a > different uuid; This happens on every single request to my itk-enabled > website. It cannot be every single request, or you would never get anything through. Take a look in your access log and see if you can identify which requests are served in which order. > Do I need to give the www-data and my custom itk user some additional > privileges to be able to setuid or something? No; it should never try to setuid to www-data unless the user accessed a vhost/directory that was set to be served by www-data. /* Steinar */ -- Homepage: http://www.sesse.net/ From azurit at pobox.sk Mon Mar 19 14:51:02 2012 From: azurit at pobox.sk (azurIt) Date: Mon, 19 Mar 2012 14:51:02 +0100 Subject: [mpm-itk] Malicious scripts holding apache port In-Reply-To: References: Message-ID: <20120319145102.62DB8806@pobox.sk> Hi, any user is allowed to bind to port bigger than 1024, so this is correct behavior. You can: 1.) deny running external scripts via PHP 2.) deny binding ports to non-root users (for example via grsecurity) 3.) run apache servers on ports lower than 1024 azur ______________________________________________________________ > Od: "Guilherme" > Komu: > D?tum: 19.03.2012 14:46 > Predmet: [mpm-itk] Malicious scripts holding apache port > >Hello, > >I changed from peruser MPM to itk MPM one month ago in 40 servers, and I've >some problems related to itk implementation. I was trying to find out why >some apache servers was unavailable and when I tried to start apache I got >the following error: > > >Starting httpd: (98)Address already in use: make_sock: could not bind to >address 0.0.0.0:8080 >no listening sockets available, shutting down >Unable to open logs > [FAILED] > >[root at whl0015 ~]# fuser 8080/tcp >8080/tcp: 19990 >[root at whl0015 ~]# ps aux | grep 19990 >plghost 19990 0.0 0.1 6440 3832 ? S 14:58 0:00 >/usr/sbin/apache3 -k start >root 20013 0.0 0.0 4012 692 pts/0 R+ 14:59 0:00 grep 19990 > > >"apache3 -k start" is a fake process, in perl, that was invoked through any >php script (exec, system, etc.). > >http://pastebin.com/z8Fje4r7 - the original one is too big, so I created a >small functional version > >These scripts does not finish in apache timeout, maybe because they change >default signals action (INT, HUP, TERM, CHLD, PS) to IGNORE. The main >purpose of these scripts is try to connect to external irc servers, >probably to allow attackers to run commands in the servers, but when apache >restarts (graceful or HUP) and these scripts are running and trying to open >sockets to remote destinations, they hold apache port in LISTEN. > >[root at whl0015 ~]# netstat -ntpl | grep 19990 >tcp 0 0 0.0.0.0:8080 0.0.0.0:* >LISTEN 19990/apache3 -k st >[root at whl0015 ~]# kill -9 19990 >[root at whl0015 ~]# /etc/init.d/httpd start >Starting httpd: [ OK ] > >I replicated the problem in my test environment, and when I switch back to >other MPM, like prefork or peruser the problem does not occur, so I think >that is something related to itk implementation. > >Any idea? > >Regards, > >Guilherme > > >---------- > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From gianluca at thirdeye.it Mon Mar 19 14:50:58 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 14:50:58 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: Message-ID: Il giorno 12/mar/2012, alle ore 22:44, Jeroen Ooms ha scritto: > I am running libapache2-mod-itk that ships with Ubuntu Linux 11.10. It > seems to work perfectly; when I visit my site and look at top or ps, I > can see that the request is being pocessed by the user I defined. > > However, I noticed that for every request I make to my itk-enabled > site, these messages are logged in apache error.log: > > [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30902 uid=33, gid=33) > itk_post_perdir_config(): setgid(998): Operation not permitted > [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, > closing connection. > [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30905 uid=998, gid=998) > itk_post_perdir_config(): setgid(33): Operation not permitted > [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, > closing connection. This is perfectly normal, you need to turn off the KeepAlive function in Apache. Gianluca Zamagni -- UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified ? Third Eye Consulting di Zamagni Gianluca ? em at il. info at thirdeye.it - tel. 3288242325 SAVE PAPER think before print this email -------------- next part -------------- An HTML attachment was scrubbed... URL: From azurit at pobox.sk Mon Mar 19 15:02:49 2012 From: azurit at pobox.sk (azurIt) Date: Mon, 19 Mar 2012 15:02:49 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: Message-ID: <20120319150249.6513ED7B@pobox.sk> ______________________________________________________________ > Od: "Gianluca Zamagni" > Komu: > D?tum: 19.03.2012 14:58 > Predmet: Re: [mpm-itk] Operation not permitted errors on Ubuntu > >Il giorno 12/mar/2012, alle ore 22:44, Jeroen Ooms ha scritto: > >> I am running libapache2-mod-itk that ships with Ubuntu Linux 11.10. It >> seems to work perfectly; when I visit my site and look at top or ps, I >> can see that the request is being pocessed by the user I defined. >> >> However, I noticed that for every request I make to my itk-enabled >> site, these messages are logged in apache error.log: >> >> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30902 uid=33, gid=33) >> itk_post_perdir_config(): setgid(998): Operation not permitted >> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >> closing connection. >> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30905 uid=998, gid=998) >> itk_post_perdir_config(): setgid(33): Operation not permitted >> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >> closing connection. > >This is perfectly normal, you need to turn off the KeepAlive function in Apache. No, you don't have to. These warnings can be safely ignored. azur > >Gianluca Zamagni >-- >UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified >? Third Eye Consulting di Zamagni Gianluca ? >em at il. info at thirdeye.it - tel. 3288242325 > >SAVE PAPER think before print this email > > > >---------- > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From gianluca at thirdeye.it Mon Mar 19 15:10:32 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 15:10:32 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <20120319150249.6513ED7B@pobox.sk> References: <20120319150249.6513ED7B@pobox.sk> Message-ID: Il giorno 19/mar/2012, alle ore 15:02, azurIt ha scritto: >>> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30902 uid=33, gid=33) >>> itk_post_perdir_config(): setgid(998): Operation not permitted >>> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >>> closing connection. >>> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30905 uid=998, gid=998) >>> itk_post_perdir_config(): setgid(33): Operation not permitted >>> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >>> closing connection. >> >> This is perfectly normal, you need to turn off the KeepAlive function in Apache. > > > > No, you don't have to. These warnings can be safely ignored. No, this is not true. Every time a child is killed by the webserver (because he need to spawn a new child with the CORRECT UID/GID) he drop a 503 (or a white page) to the client. This is sub optimal, if you have customers that switch between virtualhosts on the same severs. Turning off the KeepAlive (especially if you have a reverse proxy cache like Varnish in front of Apache) is the solution to make this to not happen. Gianluca -- UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified ? Third Eye Consulting di Zamagni Gianluca ? em at il. info at thirdeye.it - tel. 3288242325 SAVE PAPER think before print this email -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Mon Mar 19 15:14:45 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 19 Mar 2012 15:14:45 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: <20120319150249.6513ED7B@pobox.sk> Message-ID: <20120319141445.GD8239@uio.no> On Mon, Mar 19, 2012 at 03:10:32PM +0100, Gianluca Zamagni wrote: > No, this is not true. Every time a child is killed by the webserver > (because he need to spawn a new child with the CORRECT UID/GID) he drop a > 503 (or a white page) to the client. No. The connection is just dropped; no 503 or blank page is sent. If the client cannot handle that correctly ("correctly" here means just reconnecting and trying again), it does not support HTTP/1.1 correctly, and should be fixed. (I know of no such clients, but maybe there are broken proxies?) > Turning off the KeepAlive (especially if you have a reverse proxy cache > like Varnish in front of Apache) is the solution to make this to not > happen. What does KeepAlive have to do with it? The original poster claimed he only ever had one vhost, as far as I understood it, so it should not happen, KeepAlive or not. /* Steinar */ -- Homepage: http://www.sesse.net/ From azurit at pobox.sk Mon Mar 19 15:16:31 2012 From: azurit at pobox.sk (azurIt) Date: Mon, 19 Mar 2012 15:16:31 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: , , <20120319150249.6513ED7B@pobox.sk> Message-ID: <20120319151631.20EF16AF@pobox.sk> ______________________________________________________________ > Od: "Gianluca Zamagni" > Komu: > D?tum: 19.03.2012 15:10 > Predmet: Re: [mpm-itk] Operation not permitted errors on Ubuntu > >Il giorno 19/mar/2012, alle ore 15:02, azurIt ha scritto: > >>>> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30902 uid=33, gid=33) >>>> itk_post_perdir_config(): setgid(998): Operation not permitted >>>> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >>>> closing connection. >>>> [Mon Mar 12 14:22:42 2012] [warn] (itkmpm: pid=30905 uid=998, gid=998) >>>> itk_post_perdir_config(): setgid(33): Operation not permitted >>>> [Mon Mar 12 14:22:42 2012] [warn] Couldn't set uid/gid/priority, >>>> closing connection. >>> >>> This is perfectly normal, you need to turn off the KeepAlive function in Apache. >> >> >> >> No, you don't have to. These warnings can be safely ignored. > > >No, this is not true. Every time a child is killed by the webserver (because he need to spawn a new child with the CORRECT UID/GID) he drop a 503 (or a white page) >to the client. > bullshit :) http://mpm-itk.sesse.net/ The lack of socket passing also leads to another minor quirk: if you connect to httpd, make a request and then make a request on the same connection that gets handled by a different uid, mpm-itk simply shuts down the connection. This is perfectly legal according to RFC2616, and all major clients seem to handle it well; the web server simply simulates a timeout, and the client just opens a new connection and retries the request. However, there is a small performance hit, and thus you should avoid including content from multiple uids in the same page. >This is sub optimal, if you have customers that switch between virtualhosts on the same severs. > >Turning off the KeepAlive (especially if you have a reverse proxy cache like Varnish in front of Apache) is the solution to make this to not happen. > >Gianluca >-- >UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified >? Third Eye Consulting di Zamagni Gianluca ? >em at il. info at thirdeye.it - tel. 3288242325 > >SAVE PAPER think before print this email > > > >---------- > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From gianluca at thirdeye.it Mon Mar 19 15:23:56 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 15:23:56 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <20120319141445.GD8239@uio.no> References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> Message-ID: <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> Il giorno 19/mar/2012, alle ore 15:14, Steinar H. Gunderson ha scritto: > On Mon, Mar 19, 2012 at 03:10:32PM +0100, Gianluca Zamagni wrote: >> No, this is not true. Every time a child is killed by the webserver >> (because he need to spawn a new child with the CORRECT UID/GID) he drop a >> 503 (or a white page) to the client. > > No. > > The connection is just dropped; no 503 or blank page is sent. If the client > cannot handle that correctly ("correctly" here means just reconnecting and > trying again), it does not support HTTP/1.1 correctly, and should be fixed. > (I know of no such clients, but maybe there are broken proxies?) If you put Varnish ( https://www.varnish-cache.org ) in front of an Apache with ITK, and you switch from one VH to another, you got a 503, and that error in the log. "Reconnecting" or refreshing is not a solution that you can feed to customers :) Disabling KeepAlive on Apache is a work-around to make Apache close the connection and make this not happen. Of couse, this happen ONLY if you have reached a VH and you try to open another one VH with the same client. > >> Turning off the KeepAlive (especially if you have a reverse proxy cache >> like Varnish in front of Apache) is the solution to make this to not >> happen. > > What does KeepAlive have to do with it? The original poster claimed he only > ever had one vhost, as far as I understood it, so it should not happen, > KeepAlive or not. If he have just one VirtualHost no switch between UID/GUID can happen so this cannot be explained. Gianluca -- UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified ? Third Eye Consulting di Zamagni Gianluca ? em at il. info at thirdeye.it - tel. 3288242325 SAVE PAPER think before print this email -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Mon Mar 19 15:29:20 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 19 Mar 2012 15:29:20 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> Message-ID: <20120319142920.GE8239@uio.no> On Mon, Mar 19, 2012 at 03:23:56PM +0100, Gianluca Zamagni wrote: > If you put Varnish ( https://www.varnish-cache.org ) in front of an Apache > with ITK, and you switch from one VH to another, you got a 503, and that > error in the log. OK, as you describe it, that is a bug in Varnish. I will take it up with the authors. You probably want one Varnish backend per uid, though; even though the connection drop should be harmless, it has performance issues. >"Reconnecting" or refreshing is not a solution that you > can feed to customers :) Consumers no, user agents yes. The user agent should reconnect behind your back, and all browsers I have seen really do. /* Steinar */ -- Homepage: http://www.sesse.net/ From gianluca at thirdeye.it Mon Mar 19 15:29:55 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 15:29:55 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <20120319151631.20EF16AF@pobox.sk> References: , , <20120319150249.6513ED7B@pobox.sk> <20120319151631.20EF16AF@pobox.sk> Message-ID: <2E625240-6D57-40E9-AD7B-F0AB05690ABB@thirdeye.it> Il giorno 19/mar/2012, alle ore 15:16, azurIt ha scritto: > bullshit :) > > http://mpm-itk.sesse.net/ > > The lack of socket passing also leads to another minor quirk: if you connect to httpd, make a request and then make a request on the same connection that gets handled by a different uid, mpm-itk simply shuts down the connection. This is perfectly legal according to RFC2616, and all major clients seem to handle it well; the web server simply simulates a timeout, and the client just opens a new connection and retries the request. However, there is a small performance hit, and thus you should avoid including content from multiple uids in the same page. > Ok, let be clear. It's not a ITK fault. Just in some configuration (like mine) where Varnish don't try to reconnect straight after the shut down (and Varnish don't do this by default), this cause the 503. Time ago I've found some clue here: http://serverfault.com/questions/294725/php-serving-blank-pages-to-1-of-users A user that use ITK/Varnish have explained this: "We had the same problem in varnish with mpm-itk, the problem was, that when mpm-itk was accessed with a different vhost then the actuall keep-alive session was, he just killed the connection. Every normal Browser would then try to reconnect, but varnish doesn't in a default configuration. With removing KeepAlive this behaviour could not happen, so it fixed this problem." Of course, this is not the issue we are talking about, my fault, sorry. I think ITK is very powerful implementation of prefork, thanks for all the good work :) Gianluca -- UNIX Sysadmin - Apple ACTC ACDT ACHDES ACTC Certified ? Third Eye Consulting di Zamagni Gianluca ? em at il. info at thirdeye.it - tel. 3288242325 SAVE PAPER think before print this email -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.hha at gmail.com Mon Mar 19 17:48:56 2012 From: alex.hha at gmail.com (Alex Domoradov) Date: Mon, 19 Mar 2012 18:48:56 +0200 Subject: [mpm-itk] mod_vhost_alias: Dynamically assigning uid/gid Message-ID: I have a lot of virtual hosts ~4000-5000, which are used to test CMS (drupal, joomla, magento and so on). I want to use mod_vhost_alias, but there is one problem. I can't dynamically assign uid/gid for each virtual host. Is there any possibility to do dynamically assigning: based on the path or/and uid/gid docroot folder? May be such feature be planned in the next releases? From gianluca at thirdeye.it Mon Mar 19 20:04:10 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 20:04:10 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <20120319142920.GE8239@uio.no> References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> <20120319142920.GE8239@uio.no> Message-ID: <2F7F4DC0-5E66-41DB-9A2F-068D8580E7CF@thirdeye.it> Il giorno 19/mar/2012, alle ore 15:29, Steinar H. Gunderson ha scritto: > On Mon, Mar 19, 2012 at 03:23:56PM +0100, Gianluca Zamagni wrote: >> If you put Varnish ( https://www.varnish-cache.org ) in front of an Apache >> with ITK, and you switch from one VH to another, you got a 503, and that >> error in the log. > > OK, as you describe it, that is a bug in Varnish. I will take it up with the > authors. Wow, really? This will be awesome :) But, right now IDK if Varnish can act as a standard client (and reconnect), the standard configurations does not. I'll investigate if is possibile to do this, however. > > You probably want one Varnish backend per uid, though; even though the > connection drop should be harmless, it has performance issues. > >> "Reconnecting" or refreshing is not a solution that you >> can feed to customers :) > > Consumers no, user agents yes. The user agent should reconnect behind your > back, and all browsers I have seen really do. Browsers do, but as we have understand the fault is in Varnish. Really thanks for the support :) Gianluca From sgunderson at bigfoot.com Mon Mar 19 20:29:49 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 19 Mar 2012 20:29:49 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <2F7F4DC0-5E66-41DB-9A2F-068D8580E7CF@thirdeye.it> References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> <20120319142920.GE8239@uio.no> <2F7F4DC0-5E66-41DB-9A2F-068D8580E7CF@thirdeye.it> Message-ID: <20120319192949.GE29272@uio.no> On Mon, Mar 19, 2012 at 08:04:10PM +0100, Gianluca Zamagni wrote: >> OK, as you describe it, that is a bug in Varnish. I will take it up with the >> authors. > Wow, really? This will be awesome :) But, right now IDK if Varnish can act > as a standard client (and reconnect), the standard configurations does not. I asked. This bug was fixed in Varnish 3.0. /* Steinar */ -- Homepage: http://www.sesse.net/ From gianluca at thirdeye.it Mon Mar 19 20:35:44 2012 From: gianluca at thirdeye.it (Gianluca Zamagni) Date: Mon, 19 Mar 2012 20:35:44 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: <20120319192949.GE29272@uio.no> References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> <20120319142920.GE8239@uio.no> <2F7F4DC0-5E66-41DB-9A2F-068D8580E7CF@thirdeye.it> <20120319192949.GE29272@uio.no> Message-ID: Il giorno 19/mar/2012, alle ore 20:29, Steinar H. Gunderson ha scritto: > On Mon, Mar 19, 2012 at 08:04:10PM +0100, Gianluca Zamagni wrote: >>> OK, as you describe it, that is a bug in Varnish. I will take it up with the >>> authors. >> Wow, really? This will be awesome :) But, right now IDK if Varnish can act >> as a standard client (and reconnect), the standard configurations does not. > > I asked. This bug was fixed in Varnish 3.0. I'm using the 2.x version on production servers because right now it seems to be more stable and with better cache performance. But I've some servers with Varnish 3.0 (but not ITK), this night I'll give a shot and try if it solved (with KeepAlive turned on, that I think is a better option than go without it on production env if possible) Thanks again Gianluca From sgunderson at bigfoot.com Mon Mar 19 20:40:50 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 19 Mar 2012 20:40:50 +0100 Subject: [mpm-itk] Operation not permitted errors on Ubuntu In-Reply-To: References: <20120319150249.6513ED7B@pobox.sk> <20120319141445.GD8239@uio.no> <084A340B-73D4-43D5-9ED8-CA028840F0C2@thirdeye.it> <20120319142920.GE8239@uio.no> <2F7F4DC0-5E66-41DB-9A2F-068D8580E7CF@thirdeye.it> <20120319192949.GE29272@uio.no> Message-ID: <20120319194050.GF29272@uio.no> On Mon, Mar 19, 2012 at 08:35:44PM +0100, Gianluca Zamagni wrote: > I'm using the 2.x version on production servers because right now it seems > to be more stable and with better cache performance. Well, that's a request for Varnish Software, not me. :-) In any case, using one backend per vhost (or more precisely, per uid) should probably solve your problem even in 2.x. /* Steinar */ -- Homepage: http://www.sesse.net/ From knut at auvor.no Mon Mar 19 23:09:21 2012 From: knut at auvor.no (Knut Auvor Grythe) Date: Mon, 19 Mar 2012 23:09:21 +0100 Subject: [mpm-itk] mod_vhost_alias: Dynamically assigning uid/gid In-Reply-To: References: Message-ID: <20120319220921.GI23504@pvv.ntnu.no> On Mon, Mar 19, 2012 at 06:48:56PM +0200, Alex Domoradov wrote: > I have a lot of virtual hosts ~4000-5000, which are used to test CMS > (drupal, joomla, magento and so on). I want to use mod_vhost_alias, > but there is one problem. I can't dynamically assign uid/gid for each > virtual host. Is there any possibility to do dynamically assigning: > based on the path or/and uid/gid docroot folder? May be such feature > be planned in the next releases? As you already know, my patch located at http://www.pvv.ntnu.no/~knuta/mpm-itk/ will allow setting the user name based on a regex on the path. It's about a year old, so you might have to apply it by hand. -- Knut Auvor From sebastian at bendeich.eu Wed Mar 21 19:17:50 2012 From: sebastian at bendeich.eu (Sebastian Bendeich) Date: Wed, 21 Mar 2012 19:17:50 +0100 Subject: [mpm-itk] Confused about www-data as user in phpinfo-page Message-ID: <002a01cd078e$ef3d39d0$cdb7ad70$@eu> Hi, I'm a little bit confused about which part runs under the "AssignUserId": When I open a phpinfo()-Page of a vhost with assigned user id, I get www-data as User/Group in section apache2handler, although the assigned userid is another user, say "u1". But I have only access to files, which are readable by "u1", like I expected it to be. Greetings, Sebastian Bendeich From sgunderson at bigfoot.com Wed Mar 21 19:50:22 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 21 Mar 2012 19:50:22 +0100 Subject: [mpm-itk] Confused about www-data as user in phpinfo-page In-Reply-To: <002a01cd078e$ef3d39d0$cdb7ad70$@eu> References: <002a01cd078e$ef3d39d0$cdb7ad70$@eu> Message-ID: <20120321185022.GA24163@uio.no> On Wed, Mar 21, 2012 at 07:17:50PM +0100, Sebastian Bendeich wrote: > I'm a little bit confused about which part runs under the "AssignUserId": > When I open a phpinfo()-Page of a vhost with assigned user id, I get > www-data as User/Group in section apache2handler, although the assigned > userid is another user, say "u1". As far as I know, this is simply PHP reading what it thinks is the Apache configuration, instead of checking the actual uid/gid. /* Steinar */ -- Homepage: http://www.sesse.net/ From znews at 13fr.com Thu Mar 22 00:05:07 2012 From: znews at 13fr.com (ZNews) Date: Thu, 22 Mar 2012 00:05:07 +0100 Subject: [mpm-itk] Confused about www-data as user in phpinfo-page In-Reply-To: <20120321185022.GA24163@uio.no> References: <002a01cd078e$ef3d39d0$cdb7ad70$@eu> <20120321185022.GA24163@uio.no> Message-ID: <4F6A5EA3.1080307@13fr.com> Le 21/03/2012 19:50, Steinar H. Gunderson a ?crit : > On Wed, Mar 21, 2012 at 07:17:50PM +0100, Sebastian Bendeich wrote: >> I'm a little bit confused about which part runs under the "AssignUserId": >> When I open a phpinfo()-Page of a vhost with assigned user id, I get >> www-data as User/Group in section apache2handler, although the assigned >> userid is another user, say "u1". > As far as I know, this is simply PHP reading what it thinks is the Apache > configuration, instead of checking the actual uid/gid. > > /* Steinar */ Hi, I confirm this is a Php bug which doesn't get the actual uid, I got the same bug. A script like return the good value. Alex. From guilherme.e at gmail.com Mon Mar 26 16:52:17 2012 From: guilherme.e at gmail.com (Guilherme) Date: Mon, 26 Mar 2012 11:52:17 -0300 Subject: [mpm-itk] Malicious scripts holding apache port In-Reply-To: <20120319145102.62DB8806@pobox.sk> References: <20120319145102.62DB8806@pobox.sk> Message-ID: Hi, I know that users is allowed to bind to port bigger than 1024, but it's not the problem in this case. Users that runs malicious scripts can hold apache started, because these scripts are not being killed in TERM or HUP signal. These scripts are not binding in any port. Anyway I tried to change apache port to 888, but the same problem occurs. I think this is a itk issue, because I ran the same script in prefork, and apache killed the child process that was running this script, when I sent HUP signal. Anyone could try to replicate this problem? Thanks, Guilherme On Mon, Mar 19, 2012 at 10:51 AM, azurIt wrote: > > Hi, > > any user is allowed to bind to port bigger than 1024, so this is correct > behavior. You can: > 1.) deny running external scripts via PHP > 2.) deny binding ports to non-root users (for example via grsecurity) > 3.) run apache servers on ports lower than 1024 > > azur > > > > ______________________________________________________________ > > Od: "Guilherme" > > Komu: > > D?tum: 19.03.2012 14:46 > > Predmet: [mpm-itk] Malicious scripts holding apache port > > > >Hello, > > > >I changed from peruser MPM to itk MPM one month ago in 40 servers, and > I've > >some problems related to itk implementation. I was trying to find out why > >some apache servers was unavailable and when I tried to start apache I got > >the following error: > > > > > >Starting httpd: (98)Address already in use: make_sock: could not bind to > >address 0.0.0.0:8080 > >no listening sockets available, shutting down > >Unable to open logs > > [FAILED] > > > >[root at whl0015 ~]# fuser 8080/tcp > >8080/tcp: 19990 > >[root at whl0015 ~]# ps aux | grep 19990 > >plghost 19990 0.0 0.1 6440 3832 ? S 14:58 0:00 > >/usr/sbin/apache3 -k start > >root 20013 0.0 0.0 4012 692 pts/0 R+ 14:59 0:00 grep > 19990 > > > > > >"apache3 -k start" is a fake process, in perl, that was invoked through > any > >php script (exec, system, etc.). > > > >http://pastebin.com/z8Fje4r7 - the original one is too big, so I > created a > >small functional version > > > >These scripts does not finish in apache timeout, maybe because they change > >default signals action (INT, HUP, TERM, CHLD, PS) to IGNORE. The main > >purpose of these scripts is try to connect to external irc servers, > >probably to allow attackers to run commands in the servers, but when > apache > >restarts (graceful or HUP) and these scripts are running and trying to > open > >sockets to remote destinations, they hold apache port in LISTEN. > > > >[root at whl0015 ~]# netstat -ntpl | grep 19990 > >tcp 0 0 0.0.0.0:8080 0.0.0.0:* > >LISTEN 19990/apache3 -k st > >[root at whl0015 ~]# kill -9 19990 > >[root at whl0015 ~]# /etc/init.d/httpd start > >Starting httpd: [ OK ] > > > >I replicated the problem in my test environment, and when I switch back to > >other MPM, like prefork or peruser the problem does not occur, so I think > >that is something related to itk implementation. > > > >Any idea? > > > >Regards, > > > >Guilherme > > > > > >---------- > > > >_______________________________________________ > >mpm-itk mailing list > >mpm-itk at err.no > >http://lists.err.no/mailman/listinfo/mpm-itk > > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From azurit at pobox.sk Mon Mar 26 17:00:54 2012 From: azurit at pobox.sk (azurIt) Date: Mon, 26 Mar 2012 17:00:54 +0200 Subject: [mpm-itk] Malicious scripts holding apache port In-Reply-To: References: , <20120319145102.62DB8806@pobox.sk> Message-ID: <20120326170054.EBE975D7@pobox.sk> Try setting 'GracefulShutDownTimeout' in Apache to, for example, 5 seconds. azur ______________________________________________________________ > Od: "Guilherme" > Komu: azurIt > D?tum: 26.03.2012 16:52 > Predmet: Re: [mpm-itk] Malicious scripts holding apache port > > CC: mpm-itk at err.no >Hi, > >I know that users is allowed to bind to port bigger than 1024, but it's not >the problem in this case. > >Users that runs malicious scripts can hold apache started, because these >scripts are not being killed in TERM or HUP signal. These scripts are not >binding in any port. > >Anyway I tried to change apache port to 888, but the same problem occurs. I >think this is a itk issue, because I ran the same script in prefork, and >apache killed the child process that was running this script, when I sent >HUP signal. > >Anyone could try to replicate this problem? > >Thanks, > >Guilherme > >On Mon, Mar 19, 2012 at 10:51 AM, azurIt wrote: > >> >> Hi, >> >> any user is allowed to bind to port bigger than 1024, so this is correct >> behavior. You can: >> 1.) deny running external scripts via PHP >> 2.) deny binding ports to non-root users (for example via grsecurity) >> 3.) run apache servers on ports lower than 1024 >> >> azur >> >> >> >> ______________________________________________________________ >> > Od: "Guilherme" >> > Komu: >> > D?tum: 19.03.2012 14:46 >> > Predmet: [mpm-itk] Malicious scripts holding apache port >> > >> >Hello, >> > >> >I changed from peruser MPM to itk MPM one month ago in 40 servers, and >> I've >> >some problems related to itk implementation. I was trying to find out why >> >some apache servers was unavailable and when I tried to start apache I got >> >the following error: >> > >> > >> >Starting httpd: (98)Address already in use: make_sock: could not bind to >> >address 0.0.0.0:8080 >> >no listening sockets available, shutting down >> >Unable to open logs >> > [FAILED] >> > >> >[root at whl0015 ~]# fuser 8080/tcp >> >8080/tcp: 19990 >> >[root at whl0015 ~]# ps aux | grep 19990 >> >plghost 19990 0.0 0.1 6440 3832 ? S 14:58 0:00 >> >/usr/sbin/apache3 -k start >> >root 20013 0.0 0.0 4012 692 pts/0 R+ 14:59 0:00 grep >> 19990 >> > >> > >> >"apache3 -k start" is a fake process, in perl, that was invoked through >> any >> >php script (exec, system, etc.). >> > >> >http://pastebin.com/z8Fje4r7 - the original one is too big, so I >> created a >> >small functional version >> > >> >These scripts does not finish in apache timeout, maybe because they change >> >default signals action (INT, HUP, TERM, CHLD, PS) to IGNORE. The main >> >purpose of these scripts is try to connect to external irc servers, >> >probably to allow attackers to run commands in the servers, but when >> apache >> >restarts (graceful or HUP) and these scripts are running and trying to >> open >> >sockets to remote destinations, they hold apache port in LISTEN. >> > >> >[root at whl0015 ~]# netstat -ntpl | grep 19990 >> >tcp 0 0 0.0.0.0:8080 0.0.0.0:* >> >LISTEN 19990/apache3 -k st >> >[root at whl0015 ~]# kill -9 19990 >> >[root at whl0015 ~]# /etc/init.d/httpd start >> >Starting httpd: [ OK ] >> > >> >I replicated the problem in my test environment, and when I switch back to >> >other MPM, like prefork or peruser the problem does not occur, so I think >> >that is something related to itk implementation. >> > >> >Any idea? >> > >> >Regards, >> > >> >Guilherme >> > >> > >> >---------- >> > >> >_______________________________________________ >> >mpm-itk mailing list >> >mpm-itk at err.no >> >http://lists.err.no/mailman/listinfo/mpm-itk >> > >> >> _______________________________________________ >> mpm-itk mailing list >> mpm-itk at err.no >> http://lists.err.no/mailman/listinfo/mpm-itk >> > From sgunderson at bigfoot.com Mon Mar 26 17:05:40 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 26 Mar 2012 17:05:40 +0200 Subject: [mpm-itk] Malicious scripts holding apache port In-Reply-To: References: <20120319145102.62DB8806@pobox.sk> Message-ID: <20120326150540.GB2366@uio.no> On Mon, Mar 26, 2012 at 11:52:17AM -0300, Guilherme wrote: > Users that runs malicious scripts can hold apache started, because these > scripts are not being killed in TERM or HUP signal. These scripts are not > binding in any port. It _could_ be some issue with the extra fork() we are doing in mpm-itk; I haven't looked at the shutdown logic lately, but maybe we're unable to force-kill hanging instances of these sub-children if they refuse to respond to SIGTERM. /* Steinar */ -- Homepage: http://www.sesse.net/ From guilherme.e at gmail.com Mon Mar 26 18:42:40 2012 From: guilherme.e at gmail.com (Guilherme) Date: Mon, 26 Mar 2012 13:42:40 -0300 Subject: [mpm-itk] Malicious scripts holding apache port In-Reply-To: <20120326150540.GB2366@uio.no> References: <20120319145102.62DB8806@pobox.sk> <20120326150540.GB2366@uio.no> Message-ID: azurlt, I tried to use GracefulShutdownTimeout, but no luck. Steinar, Using prefork/peruser mpm, these sub-children wasn't been killed as well, but these processes doesn't hold apache port in listen. Do you have any idea/workaround to fix this problem? On Mon, Mar 26, 2012 at 12:05 PM, Steinar H. Gunderson < sgunderson at bigfoot.com> wrote: > On Mon, Mar 26, 2012 at 11:52:17AM -0300, Guilherme wrote: > > Users that runs malicious scripts can hold apache started, because these > > scripts are not being killed in TERM or HUP signal. These scripts are not > > binding in any port. > > It _could_ be some issue with the extra fork() we are doing in mpm-itk; > I haven't looked at the shutdown logic lately, but maybe we're unable to > force-kill hanging instances of these sub-children if they refuse to > respond > to SIGTERM. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From r.geyer at ameos.com Fri Mar 30 17:31:22 2012 From: r.geyer at ameos.com (Raphael GEYER) Date: Fri, 30 Mar 2012 17:31:22 +0200 Subject: [mpm-itk] mpm-itk hangs with multiple vhost and mod_chroot Message-ID: <196E23CDA075D142922922121BA1BC6C38F1DB@serveur2.ameos.local> Hi list, I have setup a Debian Squeeze server with following packages : ii apache2-mpm-itk 2.2.16-6+squeeze6 multiuser MPM for Apache 2.2 ii apache2-utils 2.2.16-6+squeeze4 utility programs for webservers ii apache2.2-bin 2.2.16-6+squeeze6 Apache HTTP Server common binary files ii apache2.2-common 2.2.16-6+squeeze6 Apache HTTP Server common files ii libapache2-mod-chroot 0.5-7 run Apache in a secure chroot environment ii libapache2-mod-php5 5.3.3-7+squeeze6 server-side, HTML-embedded scripting language (Apache 2 module) ii php-apc 3.1.3p1-2 APC (Alternative PHP Cache) module for PHP 5 ii php5 5.3.3-7+squeeze6 server-side, HTML-embedded scripting language (metapackage) ii php5-cli 5.3.3-7+squeeze6 command-line interpreter for the php5 scripting language ii php5-common 5.3.3-7+squeeze6 Common files for packages built from the php5 source ii php5-gd 5.3.3-7+squeeze6 GD module for php5 ii php5-mysql 5.3.3-7+squeeze6 MySQL module for php5 ii php5-suhosin 0.9.32.1-1 advanced protection module for php5 ii php5-xdebug 2.1.0-1 Xdebug Module for PHP 5 The chrooted server is running 3 virtual hosts using each its own user and group Everything work fine for everybody but one user often gets : [Fri Mar 30 16:55:25 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:28 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:48 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:49 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:52 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /accueil/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:53 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:53 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/sysext/t3skin/icons/gfx/error.png denied, referer: http://www.xxx.com/typo3temp/compressor/merged-a16a8fbdda45ac438e89f26ec df3d738-c6abb1ed838992917d5dad005e68dd69.css?1331635677 The user can most of the time visit all 3 virtualhost but I found that switching from one virtualhost to another one accelerates the break. It looks like itk would mix and fail the matching between the virtualhost en the assigned user ... What can I do to get more informations ? activate some logs ? may this be linked to mod_chroot ? Thanks in advance, Raphael -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Fri Mar 30 17:45:11 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 30 Mar 2012 17:45:11 +0200 Subject: [mpm-itk] mpm-itk hangs with multiple vhost and mod_chroot In-Reply-To: <196E23CDA075D142922922121BA1BC6C38F1DB@serveur2.ameos.local> References: <196E23CDA075D142922922121BA1BC6C38F1DB@serveur2.ameos.local> Message-ID: <20120330154511.GA15158@uio.no> On Fri, Mar 30, 2012 at 05:31:22PM +0200, Raphael GEYER wrote: > [Fri Mar 30 16:55:25 2012] [error] [client XX.YYY.128.242] > (13)Permission denied: access to /campings/ denied, referer: > http://www.xxx.com/accueil/ This looks a lot like mod_chroot doesn't play well with mpm-itk. (Not a big surprise, since I've seen complaints in the past, although usually about other things.) Try without mod_chroot and see? /* Steinar */ -- Homepage: http://www.sesse.net/ From raphael-mpm-itk at ameos.com Fri Mar 30 17:50:48 2012 From: raphael-mpm-itk at ameos.com (Raphael GEYER) Date: Fri, 30 Mar 2012 17:50:48 +0200 Subject: [mpm-itk] mpm-itk hangs with multiple vhost and mod_chroot Message-ID: Hi list, I have setup a Debian Squeeze server with following packages : ii apache2-mpm-itk 2.2.16-6+squeeze6 multiuser MPM for Apache 2.2 ii apache2-utils 2.2.16-6+squeeze4 utility programs for webservers ii apache2.2-bin 2.2.16-6+squeeze6 Apache HTTP Server common binary files ii apache2.2-common 2.2.16-6+squeeze6 Apache HTTP Server common files ii libapache2-mod-chroot 0.5-7 run Apache in a secure chroot environment ii libapache2-mod-php5 5.3.3-7+squeeze6 server-side, HTML-embedded scripting language (Apache 2 module) ii php-apc 3.1.3p1-2 APC (Alternative PHP Cache) module for PHP 5 ii php5 5.3.3-7+squeeze6 server-side, HTML-embedded scripting language (metapackage) ii php5-cli 5.3.3-7+squeeze6 command-line interpreter for the php5 scripting language ii php5-common 5.3.3-7+squeeze6 Common files for packages built from the php5 source ii php5-gd 5.3.3-7+squeeze6 GD module for php5 ii php5-mysql 5.3.3-7+squeeze6 MySQL module for php5 ii php5-suhosin 0.9.32.1-1 advanced protection module for php5 ii php5-xdebug 2.1.0-1 Xdebug Module for PHP 5 The chrooted server is running 3 virtual hosts using each its own user and group Everything work fine for everybody but one user often gets : [Fri Mar 30 16:55:25 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:28 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:48 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:49 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /campings/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:52 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /accueil/ denied, referer: http://www.xxx.com/accueil/ [Fri Mar 30 16:55:53 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:53 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/ajax.php denied, referer: http://www.xxx.com/typo3/backend.php [Fri Mar 30 16:55:54 2012] [error] [client XX.YYY.128.242] (13)Permission denied: access to /typo3/sysext/t3skin/icons/gfx/error.png denied, referer: http://www.xxx.com/typo3temp/compressor/merged-a16a8fbdda45ac438e89f26ecdf3d 738-c6abb1ed838992917d5dad005e68dd69.css?1331635677 The user can most of the time visit all 3 virtualhost but I found that switching from one virtualhost to another one accelerates the break. It looks like itk would mix and fail the matching between the virtualhost en the assigned user . What can I do to get more informations ? activate some logs ? may this be linked to mod_chroot ? Thanks in advance, Raphael -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Fri Mar 30 19:09:04 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 30 Mar 2012 19:09:04 +0200 Subject: [mpm-itk] mpm-itk hangs with multiple vhost and mod_chroot In-Reply-To: References: <196E23CDA075D142922922121BA1BC6C38F1DB@serveur2.ameos.local> <20120330154511.GA15158@uio.no> Message-ID: <20120330170904.GA23881@uio.no> On Fri, Mar 30, 2012 at 05:54:46PM +0200, Raphael GEYER wrote: > Thanks for the answer and sorry for the multiple post. No problem. But please keep the discussion on the list (I've re-added it). > I have although found a post > http://lists.err.no/pipermail/mpm-itk/2012-March/000505.html which look > like my problem because the user is using a proxy (I don't know wich one) > to access the internet, does KeepAlive need to be set of on mpmp-itk > webserver ? This is not directly applicable to your case, since in that case mpm-itk was working properly but the proxy was not. (It looks like in your case, mpm-itk is not behaving properly, but it's difficult to tell. Again, please try without mod_chroot.) However, depending on what the problem actually is, turning off keepalive might help in your case as well. Note that turning off keepalive will reduce the performance significantly, both for you and your users. /* Steinar */ -- Homepage: http://www.sesse.net/