From mysql.jorge at decimal.pt Tue Feb 2 07:52:21 2016 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Mon, 1 Feb 2016 22:52:21 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000631bd978$76b10214$7c1878e1$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Tue Feb 2 07:52:21 2016 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Mon, 1 Feb 2016 22:52:21 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000631bd978$76b10214$7c1878e1$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkilgo at g.clemson.edu Thu Feb 4 21:52:57 2016 From: pkilgo at g.clemson.edu (Paul Kilgo) Date: Thu, 4 Feb 2016 15:52:57 -0500 Subject: [mpm-itk] [patch] Explicitly set setuid and setgid capabilities before privdrop In-Reply-To: <20160131131125.GA15595@sesse.net> References: <20151120150734.GD10632@dot.dmz.freshdot.net>

<20151123234629.GB3882@sesse.net> <20160131131125.GA15595@sesse.net> Message-ID: On Sun, Jan 31, 2016 at 8:11 AM, Steinar H. Gunderson wrote: > I looked at this for an upcoming release; it seems you have an old version > and this issue was already fixed as part of another patch in 2.4.7-02. > Can you please verify that 2.4.7-03 works for you? Seems to work fine. Sorry for the confusion and thanks for looking into it. I posted the patch to the corresponding Launchpad bug [1]. We have been using it for a while without issue. [1] https://bugs.launchpad.net/ubuntu/+source/mpm-itk/+bug/1517214 -- Paul Kilgo pkilgo at clemson.edu PhD Student, School of Computing http://people.cs.clemson.edu/~pkilgo/ From asl at launay.org Fri Feb 5 18:27:58 2016 From: asl at launay.org (Arnaud Launay) Date: Fri, 5 Feb 2016 18:27:58 +0100 Subject: [mpm-itk] Permissions on DocumentRoot (Debian Jessie) Message-ID: <20160205172758.GA26299@launay.org> Hello, I'm running into trouble while migrating an old apache 2.2 / mpm itk to a newer Debian Jessie (8.3 uptodate), apache 2.4.10 and itk 2.4.7-02-1.1+deb8u1 . I have a directory structure of the type root at l004:~# namei -m /mnt/web/tools/check/check.txt f: /mnt/web/tools/check/check.txt drwxr-xr-x / drwxr-xr-x mnt drwxr-xr-x web drwxr-xr-x tools drwx------ check -rw------- check.txt and a virtualhost as such: AllowOverride None DocumentRoot /mnt/web/tools/check ServerName foo.bar ErrorLog foobar.log TransferLog fooerr.log AssignUserId foobar foobar Require all granted with the directory "check" and files in it owned by foobar:foobar . root at l004:/mnt/csweb/tools# ls -laR .: total 12 drwxr-xr-x 3 root root 4096 f?vr. 4 16:55 . drwxr-xr-x 5 root root 4096 f?vr. 4 16:54 .. drwx------ 2 foobar foobar 4096 f?vr. 4 16:59 check ./check: total 64 drwx------ 2 foobar foobar 4096 f?vr. 4 16:59 . drwxr-xr-x 3 root root 4096 f?vr. 4 16:55 .. -rw------- 1 foobar foobar 3 f?vr. 4 16:59 check.txt I have a search permission that I cannot explain, as the same structure works fine on the old apache/itk: [Thu Feb 04 18:34:24.551524 2016] [core:error] [pid 912] (13)Permission denied: [client X.Y.Z.A:49604] AH00035: access to /check.txt denied (filesystem path '/mnt/web/tools/check/check.txt') because search permissions are missing on a component of the path X.Y.Z.A - - [04/Feb/2016:19:14:35 +0100] "HEAD /check.txt HTTP/1.1" 403 - The same thing works just fine if I do a chmod +x /mnt/web/tools/check Which obviously I don't really want to do, as the whole thing with itk is to run it with only the user permissions. Working permissions: root at babar:/mnt/web/tools# ls -alR .: total 12 drwxr-xr-x 3 root root 4096 f?vr. 4 16:55 . drwxr-xr-x 5 root root 4096 f?vr. 4 16:54 .. drwx--x--x 2 foobar foobar 4096 f?vr. 4 16:59 check ./check: total 64 drwx--x--x 2 foobar foobar 4096 f?vr. 4 16:59 . drwxr-xr-x 3 root root 4096 f?vr. 4 16:55 .. -rw------- 1 foobar foobar 3 f?vr. 4 16:59 check.txt X.Y.Z.A - - [04/Feb/2016:19:15:15 +0100] "HEAD /check.txt HTTP/1.1" 200 - Even stranger: chmod o-x /mnt/web/tools/check touch index.html wget http://foo.bar/ WORKS -> 200, empty file (or not, I tried with content too...) wget http://foo.bar/index.html [Fri Feb 05 18:23:02.925837 2016] [core:error] [pid 29908] (13)Permission denied: [client XXXX] AH00035: access to /index.html denied (filesystem path '/mnt/web/tools/phpinfo/index.html') because search permissions are missing on a component of the path It ressembles very much https://lists.err.no/pipermail/mpm-itk/2015-March/000848.html But apache and itk are uptodate and supposedly compatible on Debian Jessie... I'm out of ideas... Am I missing something ? Arnaud. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From mpmitk at octlabs.com Thu Feb 11 19:48:19 2016 From: mpmitk at octlabs.com (Stefan Rieger) Date: Thu, 11 Feb 2016 19:48:19 +0100 Subject: [mpm-itk] itk with diffrent php versions Message-ID: <56BCD773.40208@octlabs.com> Hi I'm running ITK since year on several server :) Thanks for the great work! Is there a common solution to run different php versions for a virtual host? I'm not really willing to switch to mod_fastcgi just for that feature. But i didn't find any solution on the net till now. Tanks also for negative reply. - Stefan Rieger From alex.hha at gmail.com Thu Feb 11 20:51:32 2016 From: alex.hha at gmail.com (Alex Domoradov) Date: Thu, 11 Feb 2016 21:51:32 +0200 Subject: [mpm-itk] itk with diffrent php versions In-Reply-To: <56BCD773.40208@octlabs.com> References: <56BCD773.40208@octlabs.com> Message-ID: AFAIK there is no way, unfortunately. On Thu, Feb 11, 2016 at 8:48 PM, Stefan Rieger wrote: > Hi > > I'm running ITK since year on several server :) > Thanks for the great work! > > Is there a common solution to run different php versions for a virtual > host? > > I'm not really willing to switch to mod_fastcgi just for that feature. But > i didn't find any solution on the net till now. > > Tanks also for negative reply. > > - Stefan Rieger > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthias.leopold at meduniwien.ac.at Fri Feb 12 11:07:06 2016 From: matthias.leopold at meduniwien.ac.at (Matthias Leopold) Date: Fri, 12 Feb 2016 11:07:06 +0100 Subject: [mpm-itk] permissions on PHP error_log/mail.log Message-ID: <56BDAECA.9060900@meduniwien.ac.at> Hi, do i get this right that with mpm-itk 2.4.7.01 (EPEL for RH/CentOS 7) the files written for php.ini parameters "error_log" and "mail.log" have ownership determined by "AssignUserID" whereas with httpd-itk-2.2.22-7 (EPEL for RH/CentOS 6) these files are written with ownership of httpd "User"? For me this means in practice i can't have shared mail/error log files for PHP on RHEL7 any more. Are there any solutions for this? thanks matthias From christoph at interway.ch Fri Feb 12 13:24:53 2016 From: christoph at interway.ch (christoph at interway.ch) Date: Fri, 12 Feb 2016 13:24:53 +0100 Subject: [mpm-itk] permissions on PHP error_log/mail.log Message-ID: <952790858.20160212132453@iway.ch> > For me this means in practice i can't have shared mail/error log files > for PHP on RHEL7 any more. Are there any solutions for this? chmod 666 on these two files and make sure your logrotate mechanism does not mess up these permissions. That's what we use and it works. Yes, it may not be the best solution from a security standpoint, but this can be a bit mitigated (not solved!) by using the open_basedir directive. regards Christoph From christoph at interway.ch Fri Feb 12 13:24:54 2016 From: christoph at interway.ch (christoph at interway.ch) Date: Fri, 12 Feb 2016 13:24:54 +0100 Subject: [mpm-itk] itk with diffrent php versions Message-ID: <727061373.20160212132454@iway.ch> > I'm running ITK since year on several server :) > Thanks for the great work! > Is there a common solution to run different php versions for a virtual host? > I'm not really willing to switch to mod_fastcgi just for that feature. But > i didn't find any solution on the net till now. No, it's no possible to have multiple PHP versions when using it as an apache module - but this is completely unrelated to ITK and more of a general thingy In order to use multiple PHP versions, you need to switch to fastcgi or fpm. With Debian8 we're using mod_proxy_fcgi with fpm and unix sockets to pass the requests. Pretty simple configuration and works great. For more "security" regarding PHP opcode cacher, you may want to use fastcgi instead of fpm, but you lose some speed doing so. (though often not relevant for most sites) Christoph From michael at orlitzky.com Fri Feb 12 15:35:15 2016 From: michael at orlitzky.com (Michael Orlitzky) Date: Fri, 12 Feb 2016 09:35:15 -0500 Subject: [mpm-itk] permissions on PHP error_log/mail.log In-Reply-To: <56BDAECA.9060900@meduniwien.ac.at> References: <56BDAECA.9060900@meduniwien.ac.at> Message-ID: <56BDEDA3.2050104@orlitzky.com> On 02/12/2016 05:07 AM, Matthias Leopold wrote: > > For me this means in practice i can't have shared mail/error log files > for PHP on RHEL7 any more. Are there any solutions for this? > Sure you can, set those parameters to "syslog" and then configure your syslog daemon to filter out the PHP error/mail messages into separate files. From alex.hha at gmail.com Fri Feb 12 17:25:33 2016 From: alex.hha at gmail.com (Alex Domoradov) Date: Fri, 12 Feb 2016 18:25:33 +0200 Subject: [mpm-itk] itk with diffrent php versions In-Reply-To: <727061373.20160212132454@iway.ch> References: <727061373.20160212132454@iway.ch> Message-ID: > With Debian8 we're using mod_proxy_fcgi with fpm and unix sockets to pass the requests. and what would be if I need to run 1000 sites? Do I need to create 1000 sockets in such case? Because right now I'm using virtualaliases + mpm-itk + perdir patch with a really small and clean config file, something like the following one ServerName vhosts.dev.example.net ServerAlias *.dev.example.net UseCanonicalName Off VirtualDocumentRoot /vhosts/dev.dev.example.net/%1 DirectoryIndex index.php index.html php_admin_value upload_tmp_dir /tmp/ php_admin_value session.save_path /tmp/ php_admin_value auto_prepend_file /vhosts/setdocroot.php AssignUserFromPath "^/vhosts/dev.example.net/([^/]+)" dev_$1 dev_$1 DirectoryIndex index.php index.html Options -Indexes AllowOverride All Order allow,deny Allow from all On Fri, Feb 12, 2016 at 2:24 PM, wrote: > > I'm running ITK since year on several server :) > > Thanks for the great work! > > > Is there a common solution to run different php versions for a virtual > host? > > > I'm not really willing to switch to mod_fastcgi just for that feature. > But > > i didn't find any solution on the net till now. > > > No, it's no possible to have multiple PHP versions when using it as an > apache module - but this is completely unrelated to ITK and more of a > general thingy > > In order to use multiple PHP versions, you need to switch to fastcgi or > fpm. > > With Debian8 we're using mod_proxy_fcgi with fpm and unix sockets to pass > the requests. > Pretty simple configuration and works great. > For more "security" regarding PHP opcode cacher, you may want to use > fastcgi instead of fpm, but you lose some speed doing so. (though often not > relevant for most sites) > > > Christoph > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From asl at launay.org Fri Feb 12 18:50:08 2016 From: asl at launay.org (Arnaud Launay) Date: Fri, 12 Feb 2016 18:50:08 +0100 Subject: [mpm-itk] Permissions on DocumentRoot (Debian Jessie) In-Reply-To: <20160205172758.GA26299@launay.org> References: <20160205172758.GA26299@launay.org> Message-ID: <20160212175008.GA29670@launay.org> Le Fri, Feb 05, 2016 at 06:27:58PM +0100, Arnaud Launay a ?crit: > I'm running into trouble while migrating an old apache 2.2 / > mpm itk to a newer Debian Jessie (8.3 uptodate), apache 2.4.10 > and itk 2.4.7-02-1.1+deb8u1 . Ok, so, all the trouble I have is related to having /mnt/web an NFS mounted directory. Apparently, I'm not the only one: http://mail-archives.apache.org/mod_mbox/httpd-users/201508.mbox/%3C20150819075451.GA20572 at dot.dmz.freshdot.net%3E Unfortunately, the thread didn't indicate any solution. I put the OP in copy here, maybe he has some more insight ? Sander, did you find a solution ? (for the original post from me: https://lists.err.no/pipermail/mpm-itk/2016-February/000990.html) Arnaud. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From ssmeenk at freshdot.net Fri Feb 12 19:19:40 2016 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri, 12 Feb 2016 19:19:40 +0100 Subject: [mpm-itk] Permissions on DocumentRoot (Debian Jessie) In-Reply-To: <20160212175008.GA29670@launay.org> References: <20160205172758.GA26299@launay.org> <20160212175008.GA29670@launay.org> Message-ID: <20160212181940.GA13362@dot.dmz.freshdot.net> Quoting Arnaud Launay (asl at launay.org): > > I'm running into trouble while migrating an old apache 2.2 / > > mpm itk to a newer Debian Jessie (8.3 uptodate), apache 2.4.10 > > and itk 2.4.7-02-1.1+deb8u1 . > Ok, so, all the trouble I have is related to having /mnt/web an > NFS mounted directory. Apparently, I'm not the only one. > I put the OP in copy here, maybe he has some more insight ? > Sander, did you find a solution ? No. No *real* solution at least. I've even tried on linux-nfs[1] to get some insight in the libcap2 capabilities combination with NFS, rebuilt mpm-itk with all sorts of combinations of capabilities and places where they are set / enforced, but basically "it does not work" over NFS. So, i compiled mpm-itk without libpcap2 support. It falls back to the behaviour as it was before capabilities were introduced to mpm-itk. Which is how our platform has been runnin for years, and probably will be running for years to come. > (for the original post from me: > https://lists.err.no/pipermail/mpm-itk/2016-February/000990.html) Regards, -Sndr. [1] http://www.spinics.net/lists/linux-nfs/msg54666.html TL;DR: "This will not work on NFS. The server, which enforces permissions, has no way to know what capabilities your process has on the client." -- | A fine is a tax for doing wrong. A tax is a fine for doing well. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From alex.hha at gmail.com Fri Feb 12 19:24:56 2016 From: alex.hha at gmail.com (Alex Domoradov) Date: Fri, 12 Feb 2016 20:24:56 +0200 Subject: [mpm-itk] itk with diffrent php versions In-Reply-To: <518715744.20160212180558@iway.ch> References: <727061373.20160212132454@iway.ch> <518715744.20160212180558@iway.ch> Message-ID: > But you will need to create a dedicated FPM config/pool file for every virtualhost/user Unfortunately that's a problem. Because we have environment with 2k+ vhosts On Fri, Feb 12, 2016 at 7:05 PM, Christoph Roethlisberger < christoph.roethlisberger at iway.ch> wrote: > Hello Alex > > clean and small apache! config could still work, as only the following > three lines are required. > the socket name (in this case the "www-data") you may be able to set > dynamically (%1) > > > SetHandler "proxy:unix:/var/run/php5-fpm/www-data.sock|fcgi://www-data/" > > > But you will need to create a dedicated FPM config/pool file for every > virtualhost/user, and that may be beyond of what you want to do. > > > Of course you can still use the PHP apache module for all sites that do > not require a different PHP version, and just configure the FPM for the > ones that will. > The FilesMatch directive has precedence, so if you put that into your > config file these sites will use PHP-FPM, and if you leave it out, the PHP > requests gets served by the apache2 php module. > > Apache 2.4 also supports some if/else statements, that may allow you to > dynamically "enable" the FPM related config snipped just for these sites > that need it. (though I never checked them out, so I can't say what's > possible and what not) > That may allow you to still keep your single apache config file, despite > supporting mutliple php version > > regards > Christoph > > > > Friday, February 12, 2016, 5:25:33 PM, you wrote: > > > and what would be if I need to run 1000 sites? Do I need to create 1000 > sockets in such case? Because right now I'm using virtualaliases + mpm-itk > + perdir patch with a really small and clean config file, something like > the following one > > > ServerName vhosts.dev.example.net > ServerAlias *.dev.example.net > UseCanonicalName Off > > VirtualDocumentRoot /vhosts/dev.dev.example.net/%1 > DirectoryIndex index.php index.html > > php_admin_value upload_tmp_dir /tmp/ > php_admin_value session.save_path /tmp/ > php_admin_value auto_prepend_file /vhosts/setdocroot.php > > AssignUserFromPath "^/vhosts/dev.example.net/([ > ^/]+)" dev_$1 dev_$1 > > > DirectoryIndex index.php index.html > Options -Indexes > AllowOverride All > Order allow,deny > Allow from all > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssmeenk at freshdot.net Fri Feb 12 19:47:05 2016 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Fri, 12 Feb 2016 19:47:05 +0100 Subject: [mpm-itk] Permissions on DocumentRoot (Debian Jessie) In-Reply-To: <20160212181940.GA13362@dot.dmz.freshdot.net> References: <20160205172758.GA26299@launay.org> <20160212175008.GA29670@launay.org> <20160212181940.GA13362@dot.dmz.freshdot.net> Message-ID: <20160212184705.GA22699@dot.dmz.freshdot.net> Quoting Sander Smeenk (ssmeenk at freshdot.net): > I've even tried on linux-nfs[1] to get some insight in the libcap2 > capabilities combination with NFS > [1] http://www.spinics.net/lists/linux-nfs/msg54666.html > TL;DR: "This will not work on NFS. The server, which enforces > permissions, has no way to know what capabilities your > process has on the client." Re-pondering this comment on linux-nfs after all this time makes me wonder if this is correct. It still perplexes me. It has nothing to do with the server, right? The client drops local privileges and can still access a file, sets strict capabilities before privdrop and suddenly it can't. Interesting problem. I might spend some more time on this. If only to find out where / what / why and conclude it's indeed not possible. ;) -Sndr. -- | 'Squawks' said backwards still sounds the same | even though it's not a palindrome. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 From sgunderson at bigfoot.com Sun Feb 14 17:41:11 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Sun, 14 Feb 2016 17:41:11 +0100 Subject: [mpm-itk] mpm-itk 2.4.7-04 released Message-ID: <20160214164111.GA1450@sesse.net> Hi everyone, and happy Valentine's Day -- I decided to give mpm-itk a little love based on recent discussions. It's only very lightly tested, but should hopefully be helpful for those with NFS issues anyway. Full changelog below: === mpm-itk 2.4.7-04, released 2016-02-14: - Fix a compilation error on RHEL6; patch from Hans Kristian Rosbach. - Add a new flag EnableCapabilities (default on), which can be disabled to revert to the behavior in place before 2.4.2-02, which causes problems when the filesystem in use does not respect capabilities (in particular NFS). - Update copyright to 2016. === As usual, you can find the download link on http://mpm-itk.sesse.net/ . /* Steinar */ -- Homepage: https://www.sesse.net/ From helmo at initfour.nl Wed Feb 17 10:10:11 2016 From: helmo at initfour.nl (Herman van Rink) Date: Wed, 17 Feb 2016 10:10:11 +0100 Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <20160214164111.GA1450@sesse.net> References: <20160214164111.GA1450@sesse.net> Message-ID: <56C438F3.9020300@initfour.nl> On 14-02-16 17:41, Steinar H. Gunderson wrote: > Hi everyone, and happy Valentine's Day -- I decided to give mpm-itk a little > love based on recent discussions. It's only very lightly tested, but should > hopefully be helpful for those with NFS issues anyway. Full changelog below: Thanks, I had been puzzled by the NFS issue for a while now ... and this seems to have solved it. I've re-build the debian package for Debian Jessie. https://www.initfour.nl/debian/dists/jessie/libapache2-mpm-itk_2.4.7-04-1~bpo80+1_amd64.deb -- Met vriendelijke groet / Regards, Herman van Rink Initfour websolutions From liu at sfu.ca Thu Feb 18 18:13:41 2016 From: liu at sfu.ca (Lixin Liu) Date: Thu, 18 Feb 2016 09:13:41 -0800 (PST) Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <20160214164111.GA1450@sesse.net> References: <20160214164111.GA1450@sesse.net> Message-ID: <008e01d16a6f$b66d3720$2347a560$@sfu.ca> Hi Steinar, How should I disable this new EnableCapabilities option? If I add to the apache config file, I get httpd[17493]: AH00526: Syntax error on line 5 of /etc/httpd/conf.modules.d/00-mpm-itk.conf: httpd[17493]: Invalid command 'EnableCapabilities', perhaps misspelled or defined by a module not included in the server configuration. # cat /etc/httpd/conf.modules.d/00-mpm-itk.conf # ITK MPM (Multi-Processing Module). Mpm-itk allows you to run each of your # vhost under a separate uid and gid - in short, the scripts and configuration # files for one vhost no longer have to be readable for all the other vhosts. LoadModule mpm_itk_module modules/mod_mpm_itk.so EnableCapabilities off I am using CentOS 7.2. BTW, ITK module is very useful in our design of generic science gateway portal. Cheers, Lixin Liu Simon Fraser University Burnaby BC CANADA > -----Original Message----- > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. > Gunderson > Sent: Sunday, February 14, 2016 8:41 AM > To: mpm-itk at err.no > Subject: [mpm-itk] mpm-itk 2.4.7-04 released > > Hi everyone, and happy Valentine's Day -- I decided to give mpm-itk a > little > love based on recent discussions. It's only very lightly tested, but > should > hopefully be helpful for those with NFS issues anyway. Full changelog > below: > > === > mpm-itk 2.4.7-04, released 2016-02-14: > > - Fix a compilation error on RHEL6; patch from Hans Kristian Rosbach. > - Add a new flag EnableCapabilities (default on), which can be disabled > to revert to the behavior in place before 2.4.2-02, which causes > problems > when the filesystem in use does not respect capabilities (in > particular > NFS). > - Update copyright to 2016. > === > > As usual, you can find the download link on http://mpm-itk.sesse.net/ . > > /* Steinar */ > -- > Homepage: https://www.sesse.net/ > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk From liu at sfu.ca Thu Feb 18 19:52:43 2016 From: liu at sfu.ca (Lixin Liu) Date: Thu, 18 Feb 2016 10:52:43 -0800 (PST) Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <008e01d16a6f$b66d3720$2347a560$@sfu.ca> References: <20160214164111.GA1450@sesse.net> <008e01d16a6f$b66d3720$2347a560$@sfu.ca> Message-ID: <00e301d16a7d$8c2a3e50$a47ebaf0$@sfu.ca> Looking again at the website, I guess I should define the option in session of the config file, like: EnableCapabilities off AssignUserId webuser webgroup Is it correct? Thanks, Lixin. > -----Original Message----- > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Lixin Liu > Sent: Thursday, February 18, 2016 9:14 AM > To: mpm-itk at err.no > Subject: Re: [mpm-itk] mpm-itk 2.4.7-04 released > > Hi Steinar, > > How should I disable this new EnableCapabilities option? > If I add to the apache config file, I get > > httpd[17493]: AH00526: Syntax error on line 5 of > /etc/httpd/conf.modules.d/00-mpm-itk.conf: > httpd[17493]: Invalid command 'EnableCapabilities', perhaps misspelled or > defined by a module not included in the server configuration. > > # cat /etc/httpd/conf.modules.d/00-mpm-itk.conf > # ITK MPM (Multi-Processing Module). Mpm-itk allows you to run each of > your > # vhost under a separate uid and gid - in short, the scripts and > configuration > # files for one vhost no longer have to be readable for all the other > vhosts. > LoadModule mpm_itk_module modules/mod_mpm_itk.so > EnableCapabilities off > > I am using CentOS 7.2. > > BTW, ITK module is very useful in our design of generic science gateway > portal. > > Cheers, > > Lixin Liu > Simon Fraser University > Burnaby BC CANADA > > > -----Original Message----- > > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. > > Gunderson > > Sent: Sunday, February 14, 2016 8:41 AM > > To: mpm-itk at err.no > > Subject: [mpm-itk] mpm-itk 2.4.7-04 released > > > > Hi everyone, and happy Valentine's Day -- I decided to give mpm-itk a > > little > > love based on recent discussions. It's only very lightly tested, but > > should > > hopefully be helpful for those with NFS issues anyway. Full changelog > > below: > > > > === > > mpm-itk 2.4.7-04, released 2016-02-14: > > > > - Fix a compilation error on RHEL6; patch from Hans Kristian Rosbach. > > - Add a new flag EnableCapabilities (default on), which can be > > disabled > > to revert to the behavior in place before 2.4.2-02, which causes > > problems > > when the filesystem in use does not respect capabilities (in > > particular > > NFS). > > - Update copyright to 2016. > > === > > > > As usual, you can find the download link on http://mpm-itk.sesse.net/ . > > > > /* Steinar */ > > -- > > Homepage: https://www.sesse.net/ > > > > _______________________________________________ > > mpm-itk mailing list > > mpm-itk at err.no > > http://lists.err.no/mailman/listinfo/mpm-itk > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk From sgunderson at bigfoot.com Thu Feb 18 20:00:41 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 18 Feb 2016 20:00:41 +0100 Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <008e01d16a6f$b66d3720$2347a560$@sfu.ca> References: <20160214164111.GA1450@sesse.net> <008e01d16a6f$b66d3720$2347a560$@sfu.ca> Message-ID: <20160218190041.GA2641@sesse.net> On Thu, Feb 18, 2016 at 09:13:41AM -0800, Lixin Liu wrote: > httpd[17493]: AH00526: Syntax error on line 5 of > /etc/httpd/conf.modules.d/00-mpm-itk.conf: > httpd[17493]: Invalid command 'EnableCapabilities', perhaps misspelled or > defined by a module not included in the server configuration. Did you compile with libcap? If not, the option isn't there (there's nothing to enable). /* Steinar */ -- Homepage: https://www.sesse.net/ From liu at sfu.ca Thu Feb 18 23:45:30 2016 From: liu at sfu.ca (Lixin Liu) Date: Thu, 18 Feb 2016 14:45:30 -0800 (PST) Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <20160218190041.GA2641@sesse.net> References: <20160214164111.GA1450@sesse.net> <008e01d16a6f$b66d3720$2347a560$@sfu.ca> <20160218190041.GA2641@sesse.net> Message-ID: <016a01d16a9e$110f56d0$332e0470$@sfu.ca> Hi Steinar, Thank you very much. I did not have libcap-devel installed in the system, so it did not compile with the option. After I recompiled with libcap, it is working without turning EnableCapabilities off. Initially after we updated from 2.4.7-02 to 2.4.7-04, we see [unixd:alert] [pid 17398] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 0 We have files on the Lustre file system, so I thought may have a similar issue as NFS, but does not appear to be the case. Cheers, Lixin. > -----Original Message----- > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. > Gunderson > Sent: Thursday, February 18, 2016 11:01 AM > To: mpm-itk at err.no > Subject: Re: [mpm-itk] mpm-itk 2.4.7-04 released > > On Thu, Feb 18, 2016 at 09:13:41AM -0800, Lixin Liu wrote: > > httpd[17493]: AH00526: Syntax error on line 5 of > > /etc/httpd/conf.modules.d/00-mpm-itk.conf: > > httpd[17493]: Invalid command 'EnableCapabilities', perhaps misspelled > > or > > defined by a module not included in the server configuration. > > Did you compile with libcap? If not, the option isn't there (there's > nothing > to enable). > > /* Steinar */ > -- > Homepage: https://www.sesse.net/ > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk From aroudgar at sfu.ca Fri Feb 19 09:44:49 2016 From: aroudgar at sfu.ca (Ata Roudgar) Date: Fri, 19 Feb 2016 00:44:49 -0800 Subject: [mpm-itk] cgi-script in itk-mpm 2.4.7-04 Message-ID: <1791601.EbsOmsKKnP@linux-hv4g> Hi, I am using itk-mpm 2.4.7-04 released. It seems everything is working very well except when I need apache to run the following simple python program: #!/bin/python print "Content-type: text/html\n\n" print print "Hello" I get a 500 error. The file is located at /home/irida/public_html. The .htaccess in this directory is : Options +Indexes +FollowSymLinks +ExecCGI +SymLinksIfOwnerMatch AddHandler cgi-script .py .pl and here is the part of the v.host configuration related to itk module: AssignUserId irida irida AllowOverride All Order allow,deny allow from all and here is the error I get: End of script output before headers: test.py It seems the itk module added something at the beginning of the output of this program because apache can not recognize that it is a cgi print. I have already disable suexec module to make sure there is not interfere. I should note that as soon as I delete AssignUserId irida irida (disable itk) the program works perfectly. Any help would be very appreciated. Cheers, Ata -- Ata Roudgar Research Computing WestGrid Site IT Services Simon Fraser University Burnaby, British Columbia Canada V5A 1S6 phone: 778 782-8860 fax: 778 782-4242 From sgunderson at bigfoot.com Fri Feb 19 19:45:33 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Fri, 19 Feb 2016 19:45:33 +0100 Subject: [mpm-itk] mpm-itk 2.4.7-04 released In-Reply-To: <016a01d16a9e$110f56d0$332e0470$@sfu.ca> References: <20160214164111.GA1450@sesse.net> <008e01d16a6f$b66d3720$2347a560$@sfu.ca> <20160218190041.GA2641@sesse.net> <016a01d16a9e$110f56d0$332e0470$@sfu.ca> Message-ID: <20160219184533.GA30466@sesse.net> On Thu, Feb 18, 2016 at 02:45:30PM -0800, Lixin Liu wrote: > Initially after we updated from 2.4.7-02 to 2.4.7-04, we see > > [unixd:alert] [pid 17398] (1)Operation not permitted: AH02156: setgid: > unable to set group id to Group 0 Running a site as gid 0 sounds wrong, and it is not permitted by default. You need to open it up using LimitGIDRange. /* Steinar */ -- Homepage: https://www.sesse.net/ From mysql.jorge at decimal.pt Thu Feb 25 08:28:36 2016 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Thu, 25 Feb 2016 10:28:36 +0300 Subject: [mpm-itk] Fw: new message Message-ID: <000092291815$dd7321eb$fc75ef85$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Thu Feb 25 08:28:36 2016 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Thu, 25 Feb 2016 10:28:36 +0300 Subject: [mpm-itk] Fw: new message Message-ID: <000092291815$dd7321eb$fc75ef85$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: