From usd205k at gmail.com Thu May 3 04:49:04 2012 From: usd205k at gmail.com (Robert Hanson) Date: Thu, 3 May 2012 09:49:04 +0700 Subject: [mpm-itk] AssignUserId as variable : Is it possible? Message-ID: Dear all, I have multiple users with their own /home folder. These users also sub-domain of my server. for example : mac.example.com >> /home/mac.example.com max.example.com >> /home/max.example.com taylor.example.com >> /home/taylor.example.com by using MPM-ITK my Apache can be configured to access those folders with UID and GID specified. not as www-data, Apache's default. and that's exactly what I want. I want my Apache change its UID into mac, while accessing /home/mac.example.com and so on... unfortunately, Apache configuration file seems doesn't support 'variables' to put as AssignUserId on my /etc/apache2/apache.conf tons of documentation on the internet told me that the configuration should be like this (STATIC) : AssignUserId user group until this Mod Perl gave me a little bit hope to make everything works... I only have this 'clue' to make Apache config file runs dynamically : http://serverfault.com/questions/75010/dynamic-authentication-realms-in-apache/75526#75526 but I'm not Perl-guy, I have no idea how to modify those codes to fits my need. and I also don't know if MPM-ITK has built-in variable or not. please kindly help me... thanks before. -------------- next part -------------- An HTML attachment was scrubbed... URL: From knut at auvor.no Thu May 3 07:06:41 2012 From: knut at auvor.no (Knut Auvor Grythe) Date: Thu, 3 May 2012 07:06:41 +0200 Subject: [mpm-itk] AssignUserId as variable : Is it possible? In-Reply-To: References: Message-ID: <20120503050641.GL15743@pvv.ntnu.no> On Thu, May 03, 2012 at 09:49:04AM +0700, Robert Hanson wrote: > I have multiple users with their own /home folder. These users also > sub-domain of my server. for example : > > mac.example.com >> /home/mac.example.com > max.example.com >> /home/max.example.com > taylor.example.com >> /home/taylor.example.com > > by using MPM-ITK my Apache can be configured to access those folders with > UID and GID specified. not as www-data, Apache's default. and that's > exactly what I want. I want my Apache change its UID into mac, while > accessing /home/mac.example.com and so on... > > unfortunately, Apache configuration file seems doesn't support 'variables' > to put as AssignUserId on my /etc/apache2/apache.conf > > tons of documentation on the internet told me that the configuration should > be like this (STATIC) : > > > AssignUserId user group > This is correct. With standard MPM-ITK, you will need to do this by specifying separate vhosts for each user, and hard-coding the user names in each of them. > until this Mod Perl gave me a little bit hope to make everything works... I > only have this 'clue' to make Apache config file runs dynamically : > http://serverfault.com/questions/75010/dynamic-authentication-realms-in-apache/75526#75526 You can use mod_perl to generate this static config, but this is done as Apache starts, not runtime. This means that after adding or removing a user, you would have to reload Apache for the changes to take effect. > but I'm not Perl-guy, I have no idea how to modify those codes to fits my > need. and I also don't know if MPM-ITK has built-in variable or not. please > kindly help me... thanks before. Another option is to use my patches for assigning the username based on a regex: http://www.pvv.ntnu.no/~knuta/mpm-itk/ This will do exactly what you want without requiring mod_perl or any reloads of Apache, but is not part of standard MPM-ITK. Thus, if you want to use this, you will have to build your own patched MPM-ITK at your own risk. Also remember to read the notes on security presented on the webpage. -- Knut Auvor From sgunderson at bigfoot.com Thu May 3 11:19:09 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 3 May 2012 11:19:09 +0200 Subject: [mpm-itk] AssignUserId as variable : Is it possible? In-Reply-To: References: Message-ID: <20120503091909.GA13450@uio.no> On Thu, May 03, 2012 at 09:49:04AM +0700, Robert Hanson wrote: > by using MPM-ITK my Apache can be configured to access those folders with > UID and GID specified. not as www-data, Apache's default. and that's > exactly what I want. I want my Apache change its UID into mac, while > accessing /home/mac.example.com and so on... As Knut Auvor says, this currently isn't supported in stock mpm-itk. However, Apache 2.4 has new functionality for dynamic variables which I haven't had the time to look into -- if we're lucky, maybe this can be used to provide more general runtime decisions of the uid. /* Steinar */ -- Homepage: http://www.sesse.net/ From michael at orlitzky.com Thu May 3 17:21:20 2012 From: michael at orlitzky.com (Michael Orlitzky) Date: Thu, 03 May 2012 11:21:20 -0400 Subject: [mpm-itk] AssignUserId as variable : Is it possible? In-Reply-To: References: Message-ID: <4FA2A270.6020803@orlitzky.com> On 05/02/2012 10:49 PM, Robert Hanson wrote: > > by using MPM-ITK my Apache can be configured to access those folders > with UID and GID specified. not as www-data, Apache's default. and > that's exactly what I want. I want my Apache change its UID into mac, > while accessing /home/mac.example.com and so on... > We use mod_macro[1] for this. An ITK example, ... AssignUserID $host.$domain $host.$domain Just use one macro for all of the sites that share the same structure. [1] http://people.apache.org/~fabien/mod_macro/ From alex.hha at gmail.com Thu May 3 17:46:40 2012 From: alex.hha at gmail.com (Alex Domoradov) Date: Thu, 3 May 2012 18:46:40 +0300 Subject: [mpm-itk] AssignUserId as variable : Is it possible? In-Reply-To: <4FA2A270.6020803@orlitzky.com> References: <4FA2A270.6020803@orlitzky.com> Message-ID: With mod_macro you need to reload/restart apache each time after you have added new vhost. With patch from Knut Auvor Grythe there is no need to reload/restart apache On Thu, May 3, 2012 at 6:21 PM, Michael Orlitzky wrote: > On 05/02/2012 10:49 PM, Robert Hanson wrote: >> >> by using MPM-ITK my Apache can be configured to access those folders >> with UID and GID specified. not as www-data, Apache's default. and >> that's exactly what I want. I want my Apache change its UID into mac, >> while accessing /home/mac.example.com and so on... >> > > > We use mod_macro[1] for this. An ITK example, > > ? > > ? ? ... > > ? ? > ? ? ?AssignUserID $host.$domain $host.$domain > ? ? > > ? > > > Just use one macro for all of the sites that share the same structure. > > > > [1] http://people.apache.org/~fabien/mod_macro/ > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk From daniele at orlandi.com Fri May 4 19:33:12 2012 From: daniele at orlandi.com (Daniele Orlandi) Date: Fri, 04 May 2012 19:33:12 +0200 Subject: [mpm-itk] mpm-itk and mod_qos not working together (with fix) Message-ID: <1656167.1es7iRBUP7@burdell> Hello, I was experimenting with mpm-itk and mod_qos, however I found that mod_qos was not detecting when the client disconnected and thus kept increasing his concurrent connections counter. I found that the problem is in mpm-itk which is not explicitly releasing his memory pool in the forked child before calling exit(0); This would be okay on a memory management point of view, mod_qos however installs a callback on pool release and expects it to be called in order to do his housekeeping. I seem to have fixed the issue by adding: + if (pchild) { + apr_pool_destroy(pchild); + } To the base functionality patch just before exit(0); + case 0: /* child */ + apr_proc_mutex_child_init(&accept_mutex, ap_lock_fname, pchild); + current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc); + if (current_conn) { + ap_process_connection(current_conn, csd); + ap_lingering_close(current_conn); + } + if (pchild) { + apr_pool_destroy(pchild); + } + exit(0); + default: /* parent; just wait for child to be done */ + do { I hope this helps. Ciao, From sgunderson at bigfoot.com Fri May 4 20:50:37 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 4 May 2012 20:50:37 +0200 Subject: [mpm-itk] mpm-itk and mod_qos not working together (with fix) In-Reply-To: <1656167.1es7iRBUP7@burdell> References: <1656167.1es7iRBUP7@burdell> Message-ID: <20120504185037.GA11276@uio.no> On Fri, May 04, 2012 at 07:33:12PM +0200, Daniele Orlandi wrote: > I found that the problem is in mpm-itk which is not explicitly releasing his > memory pool in the forked child before calling exit(0); This would be okay on > a memory management point of view, mod_qos however installs a callback on pool > release and expects it to be called in order to do his housekeeping. That's a bit odd, but it seems like a reasonable change; I'll make sure to include it in the next 2.4 release. Thanks! /* Steinar */ -- Homepage: http://www.sesse.net/ From jani+mpm-itk at ifi.uio.no Mon May 7 16:08:48 2012 From: jani+mpm-itk at ifi.uio.no (Jan Ingvoldstad) Date: Mon, 07 May 2012 16:08:48 +0200 Subject: [mpm-itk] AssignUserId as variable : Is it possible? In-Reply-To: (Robert Hanson's message of "Thu\, 3 May 2012 09\:49\:04 +0700") References: Message-ID: On Thu, 3 May 2012 09:49:04 +0700, Robert Hanson said: > until this Mod Perl gave me a little bit hope to make everything works... I > only have this 'clue' to make Apache config file runs dynamically : > http://serverfault.com/questions/75010/dynamic-authentication-realms-in-apache/75526#75526 > but I'm not Perl-guy, I have no idea how to modify those codes to fits my > need. and I also don't know if MPM-ITK has built-in variable or not. please > kindly help me... thanks before. The problem with the mod_perl approach is one of security: mod_perl has security flaws in directive handling, which may lead to privilege escalation based on what you put in e.g. a .htaccess file. As I understand it, MPM-ITK parses .htaccess with root privileges. In general, I would recommend against using mod_perl unless your webserver is essentially a single-user environment, and preferably with read-only web directories (so that other vulnerable code may not inject code into .htaccess or similar). Related, public bug reports: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647506 A CVE entry has been forthcoming since October, but the details are not quite public yet. I have heard that there are other modules providing Perl-based Apache configuration, but I have no recollection regarding which these are and what they do. -- In the beginning was the Bit, and the Bit was Zero. Then Someone said, Let there be One, and there was One. And Someone blessed them, and Someone said unto them, Be fruitful, and multiply, and replenish the Word and subdue it: and have dominion over every thing that is. From h.heil at zweipol.net Mon May 7 16:20:08 2012 From: h.heil at zweipol.net (Henrik Heil) Date: Mon, 07 May 2012 16:20:08 +0200 (CEST) Subject: [mpm-itk] debian squeeze, fix for 403 with .htaccess Message-ID: <20120507.162008.985438181862058872.h.heil@zweipol.net> Hi, is the patch [1] for the 403-with-htaccess-problem in the current stable debian release (apache2-mpm-itk/squeeze uptodate 2.2.16-6+squeeze7)? I thought so but I can only find the fix for CVE-2011-1176 in the changelog [2]. If not, would this qualify for the next point release or is there a backport available? Unfortunately I begin to see these errors on a production system where I can neither force the permission of all .htaccess-files nor upgrade to testing/unstable. Thanks in advance, Henrik [1] http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.17-01/11-fix-htaccess-reads-for-persistent-connections.patch [2] http://packages.debian.org/changelogs/pool/main/a/apache2/apache2_2.2.16-6+squeeze7/changelog From sgunderson at bigfoot.com Mon May 7 16:38:33 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 7 May 2012 16:38:33 +0200 Subject: [mpm-itk] debian squeeze, fix for 403 with .htaccess In-Reply-To: <20120507.162008.985438181862058872.h.heil@zweipol.net> References: <20120507.162008.985438181862058872.h.heil@zweipol.net> Message-ID: <20120507143833.GF25360@uio.no> On Mon, May 07, 2012 at 04:20:08PM +0200, Henrik Heil wrote: > is the patch [1] for the 403-with-htaccess-problem in the current > stable debian release (apache2-mpm-itk/squeeze uptodate > 2.2.16-6+squeeze7)? Unfortunately, it's not. The fix came too late to be included in squeeze. > If not, would this qualify for the next point release or is there a > backport available? I doubt it; as I see it, it falls outside what would usually be considered applicable for stable, but the Apache maintainers and Stable Release Managers might disagree. You should probably ask them. /* Steinar */ -- Homepage: http://www.sesse.net/ From mysql.jorge at decimal.pt Sun May 20 17:36:43 2012 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Sun, 20 May 2012 16:36:43 +0100 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES Message-ID: Howdy, As server maint, I'm starting to read info about apache 2.4, and I see that exists a "mod_privileges", to do the same job as ITK, and it has two levels: FAST mode In FAST mode, requests are run in-process with the selected uid/gid and privileges, so the overhead is negligible. This is suitable for benign situations, but is not secure against an attacker escalating privileges with an in-process module or script. SECURE mode A request in SECURE mode forks a subprocess, which then drops privileges. This is a very similar case to running CGI with suexec, but for the entire request cycle, and with the benefit of fine-grained control of privileges. My question is, does ITK has this problems also? Thanks in advanced, Jorge Bastos, -------------- next part -------------- An HTML attachment was scrubbed... URL: From azurit at pobox.sk Sun May 20 17:42:00 2012 From: azurit at pobox.sk (azurIt) Date: Sun, 20 May 2012 17:42:00 +0200 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: References: Message-ID: <20120520174200.05BB738A@pobox.sk> mod_privileges runs only under Solaris. azur ______________________________________________________________ > Od: "Jorge Bastos" > Komu: > D?tum: 20.05.2012 17:37 > Predmet: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES > >Howdy, > > > >As server maint, I'm starting to read info about apache 2.4, and I see that >exists a "mod_privileges", to do the same job as ITK, and it has two levels: > > > >FAST mode > >In FAST mode, requests are run in-process with the selected uid/gid and >privileges, so the overhead is negligible. This is suitable for benign >situations, but is not secure against an attacker escalating privileges with >an in-process module or script. > >SECURE mode > >A request in SECURE mode forks a subprocess, which then drops privileges. >This is a very similar case to running CGI with suexec, but for the entire >request cycle, and with the benefit of fine-grained control of privileges. > > > >My question is, does ITK has this problems also? > > > >Thanks in advanced, > >Jorge Bastos, > > > >---------- > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From mysql.jorge at decimal.pt Sun May 20 17:45:55 2012 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Sun, 20 May 2012 16:45:55 +0100 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: <20120520174200.05BB738A@pobox.sk> References: <20120520174200.05BB738A@pobox.sk> Message-ID: <007801cd369f$a593f6d0$f0bbe470$@jorge@decimal.pt> Hi, Subject: Re: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES > > mod_privileges runs only under Solaris. > > azur Oh, confirmed it, didn't saw that part! From sgunderson at bigfoot.com Mon May 21 01:04:42 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 21 May 2012 01:04:42 +0200 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: References: Message-ID: <20120520230441.GA17780@uio.no> On Sun, May 20, 2012 at 04:36:43PM +0100, Jorge Bastos wrote: > My question is, does ITK has this problems also? Define ?problems?. :-) mpm-itk works in a mode similar to mod_privileges' ?secure mode?. I think it's interesting that after years of refusing to take in mpm-itk, mostly on the basis of ?nobody needs that?, Apache upstream has taken in a Solaris-only module doing more or less the same thing as mpm-itk (although not as an MPM). Granted, Solaris privileges reportedly allow for somewhat more fine-grained control over things, but it would be interesting to see if mpm-itk could be recast into something similar. /* Steinar */ -- Homepage: http://www.sesse.net/ From jani+mpm-itk at ifi.uio.no Mon May 21 23:57:17 2012 From: jani+mpm-itk at ifi.uio.no (Jan Ingvoldstad) Date: Mon, 21 May 2012 23:57:17 +0200 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: <20120520230441.GA17780@uio.no> (Steinar H. Gunderson's message of "Mon\, 21 May 2012 01\:04\:42 +0200") References: <20120520230441.GA17780@uio.no> Message-ID: On Mon, 21 May 2012 01:04:42 +0200, "Steinar H. Gunderson" said: > I think it's interesting that after years of refusing to take in mpm-itk, > mostly on the basis of ?nobody needs that?, Apache upstream has taken in a > Solaris-only module doing more or less the same thing as mpm-itk (although > not as an MPM). Granted, Solaris privileges reportedly allow for somewhat > more fine-grained control over things, but it would be interesting to see if > mpm-itk could be recast into something similar. Well, Linux and FreeBSD offer extra security capabilities, don't they? The problem, as I see it, is that these are not the same, so it adds complexity, and therefore risk. So I'm not going to push you for it, but I'll be happy if you can make it work. -- In the beginning was the Bit, and the Bit was Zero. Then Someone said, Let there be One, and there was One. And Someone blessed them, and Someone said unto them, Be fruitful, and multiply, and replenish the Word and subdue it: and have dominion over every thing that is. From sgunderson at bigfoot.com Tue May 22 00:02:38 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 22 May 2012 00:02:38 +0200 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: References: <20120520230441.GA17780@uio.no> Message-ID: <20120521220238.GA3365@uio.no> On Mon, May 21, 2012 at 11:57:17PM +0200, Jan Ingvoldstad wrote: > Well, Linux and FreeBSD offer extra security capabilities, don't they? I'm not sure if they are as potent. But I haven't looked at the mod_privileges code at all, so I'll claim incompetence here. It is rather odd that Apache upstream refuses to take in a patch that is in all major Linux distributions plus FreeBSD ports, though. Maybe I should make a fourth attempt at some point. /* Steinar */ -- Homepage: http://www.sesse.net/ From azurit at pobox.sk Tue May 22 09:49:59 2012 From: azurit at pobox.sk (azurIt) Date: Tue, 22 May 2012 09:49:59 +0200 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: <20120521220238.GA3365@uio.no> References: , <20120520230441.GA17780@uio.no>, <20120521220238.GA3365@uio.no> Message-ID: <20120522094959.D062E4E3@pobox.sk> >It is rather odd that Apache upstream refuses to take in a patch that is in >all major Linux distributions plus FreeBSD ports, though. Maybe I should make >a fourth attempt at some point. yeah, give it a try! :) > >/* Steinar */ >-- >Homepage: http://www.sesse.net/ > >_______________________________________________ >mpm-itk mailing list >mpm-itk at err.no >http://lists.err.no/mailman/listinfo/mpm-itk > From mahatma at bspu.unibel.by Tue May 22 16:20:41 2012 From: mahatma at bspu.unibel.by (Dzianis Kahanovich) Date: Tue, 22 May 2012 17:20:41 +0300 Subject: [mpm-itk] *****SPAM***** Re: Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: <20120520174200.05BB738A@pobox.sk> References: <20120520174200.05BB738A@pobox.sk> Message-ID: <4FBBA0B9.3070600@bspu.unibel.by> Spam detection software, running on the system "mail.bspu.local", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: IMHO simple fix turn it works under linux, but I not tests it. http://mahatma.bspu.unibel.by/download/experimental/23-fake-priv.patch - idea is to make fake priv.h... PS I just hack it while I make 2.3.15 ebuild for my Gentoo overlay, but don't take a time to test it. Just compiled. [...] Content analysis details: (5.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=195.50.2.17,maildomain=bspu.unibel.by,nordns] -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1386] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 HELO_MISC_IP Looking for more Dynamic IP Relays -------------- next part -------------- An embedded message was scrubbed... From: Dzianis Kahanovich Subject: Re: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES Date: Tue, 22 May 2012 17:20:41 +0300 Size: 2989 URL: From mahatma at bspu.unibel.by Tue May 22 16:39:27 2012 From: mahatma at bspu.unibel.by (Dzianis Kahanovich) Date: Tue, 22 May 2012 17:39:27 +0300 Subject: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES In-Reply-To: <20120520174200.05BB738A@pobox.sk> References: <20120520174200.05BB738A@pobox.sk> Message-ID: <4FBBA51F.4020907@bspu.unibel.by> IMHO simple fix turn it works under linux, but I not tests it. http://mahatma.bspu.unibel.by/download/experimental/23-fake-priv.patch - idea is to make fake priv.h... PS I just hack it while I make 2.3.15 ebuild for my Gentoo overlay, but don't take a time to test it. Just compiled. PPS Sorry, own spamassassin... x2 ;) azurIt ???????: > > mod_privileges runs only under Solaris. > > azur > > > > ______________________________________________________________ >> Od: "Jorge Bastos" >> Komu: >> D?tum: 20.05.2012 17:37 >> Predmet: [mpm-itk] Apache 2.4x and the new MOD_PRIVILEGES >> >> Howdy, >> >> >> >> As server maint, I'm starting to read info about apache 2.4, and I see that >> exists a "mod_privileges", to do the same job as ITK, and it has two levels: >> >> >> >> FAST mode >> >> In FAST mode, requests are run in-process with the selected uid/gid and >> privileges, so the overhead is negligible. This is suitable for benign >> situations, but is not secure against an attacker escalating privileges with >> an in-process module or script. >> >> SECURE mode >> >> A request in SECURE mode forks a subprocess, which then drops privileges. >> This is a very similar case to running CGI with suexec, but for the entire >> request cycle, and with the benefit of fine-grained control of privileges. >> >> >> >> My question is, does ITK has this problems also? >> >> >> >> Thanks in advanced, >> >> Jorge Bastos, >> >> >> >> ---------- >> >> _______________________________________________ >> mpm-itk mailing list >> mpm-itk at err.no >> http://lists.err.no/mailman/listinfo/mpm-itk >> > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > > -- WBR, Dzianis Kahanovich AKA Denis Kaganovich, http://mahatma.bspu.unibel.by/