From Ondrej.Valousek at s3group.com Sat Oct 1 00:06:16 2016 From: Ondrej.Valousek at s3group.com (Ondrej Valousek) Date: Fri, 30 Sep 2016 22:06:16 +0000 Subject: [mpm-itk] Problem with directory listing In-Reply-To: <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> References: <20160930150208.GA38922@sesse.net> <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> Message-ID: Well, I thought I would not have to disallow root squash. Root squash seems to me a good security protection. -----Original Message----- From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Bachsau Security Sent: Friday, September 30, 2016 5:42 PM To: mpm-itk at err.no Subject: Re: [mpm-itk] Problem with directory listing If you want to serve only static HTML there is no need for ITK. Why would you need it? When there is no active code there is no reason to run several with different user ids. I think your scenario won't even work with default apache priviledge separtion. Why don't you allow root to access your NFS? Am 30.09.16 um 17:16 schrieb Ondrej Valousek: > If there is no solution, then what is the ITK actually good for? It is probably no good for serving static html, right? _______________________________________________ mpm-itk mailing list mpm-itk at err.no http://lists.err.no/mailman/listinfo/mpm-itk ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. From info at bachsau.net Sat Oct 1 00:19:18 2016 From: info at bachsau.net (Bachsau Network) Date: Sat, 1 Oct 2016 00:19:18 +0200 Subject: [mpm-itk] Problem with directory listing In-Reply-To: References: <20160930150208.GA38922@sesse.net> <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> Message-ID: <143e5f2e-ef56-6d83-ac17-3d413294aabe@bachsau.net> Am 01.10.2016 um 00:06 schrieb Ondrej Valousek: > Well, I thought I would not have to disallow root squash. Root squash seems to me a good security protection. It just needs rights to read and browse, not to modify. However, if root is compromised on your web server machine you probably have other things to worry about than access rights on your NFS. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4076 bytes Desc: S/MIME Cryptographic Signature URL: From mysql.jorge at decimal.pt Sat Oct 1 18:16:50 2016 From: mysql.jorge at decimal.pt (mysql.jorge) Date: RANDOM_Sat, 1 Oct 2016 19:16:50 +0300 Subject: [mpm-itk] just some stuff Message-ID: <0000b421f7b5$06a83bcb$dc634e2c$@decimal.pt> Dear friend! I've just found some stuff that may be really interesting for you, it is really cool) Take a look Bests, mysql.jorge -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Sat Oct 1 18:17:00 2016 From: mysql.jorge at decimal.pt (mysql.jorge) Date: RANDOM_Sat, 1 Oct 2016 19:17:00 +0300 Subject: [mpm-itk] just a message Message-ID: <0000e31b4315$15f51ff3$08c5c1f2$@decimal.pt> Hi friend! I just wanted to say hi and show you something interesting and wotrhy, just take a look here Warm regards, mysql.jorge -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ondrej.Valousek at s3group.com Mon Oct 3 09:40:14 2016 From: Ondrej.Valousek at s3group.com (Ondrej Valousek) Date: Mon, 3 Oct 2016 07:40:14 +0000 Subject: [mpm-itk] Problem with directory listing In-Reply-To: <143e5f2e-ef56-6d83-ac17-3d413294aabe@bachsau.net> References: <20160930150208.GA38922@sesse.net> <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> <143e5f2e-ef56-6d83-ac17-3d413294aabe@bachsau.net> Message-ID: The thing is, that I do not want to modify access control (and - it's there for a reason). If my webserver (and since ITK is running as root, it is running on a dedicated machine) is compromised (actually I am more concerned about some bug), the damage it could cause is much less if root squash is enabled. Moreover I think ITK _could_ do what I want if it could map the hook core_map_to_storage() routine - for example the same way as mod_dav_svn does. We could later on call it ourselves (under valid UID) later. Ideally what I would like to achieve is authenticated access to web portal via mod_auth_kerb or mod_auth_gssapi or even local PAM modules (why not) and then spawn process under authenticated user. Last question I have is - I am using the "AssignUserIDExpr" directive. Is there any way how to handle a situation when we receive a non-valid username? I would like to return some custom static error web page. Many thanks, Ondrej -----Original Message----- From: Bachsau Network [mailto:info at bachsau.net] Sent: Saturday, October 01, 2016 12:19 AM To: Ondrej Valousek ; mpm-itk at err.no Subject: Re: [mpm-itk] Problem with directory listing Am 01.10.2016 um 00:06 schrieb Ondrej Valousek: > Well, I thought I would not have to disallow root squash. Root squash seems to me a good security protection. It just needs rights to read and browse, not to modify. However, if root is compromised on your web server machine you probably have other things to worry about than access rights on your NFS. ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. From jani+mpm-itk at ifi.uio.no Mon Oct 3 13:05:51 2016 From: jani+mpm-itk at ifi.uio.no (Jan Ingvoldstad) Date: Mon, 03 Oct 2016 13:05:51 +0200 Subject: [mpm-itk] Problem with directory listing In-Reply-To: (Ondrej Valousek's message of "Mon, 3 Oct 2016 07:40:14 +0000") References: <20160930150208.GA38922@sesse.net> <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> <143e5f2e-ef56-6d83-ac17-3d413294aabe@bachsau.net> Message-ID: On Mon, 3 Oct 2016 07:40:14 +0000, Ondrej Valousek said: > The thing is, that I do not want to modify access control (and - it's there for a reason). > If my webserver (and since ITK is running as root, it is running on a > dedicated machine) is compromised (actually I am more concerned about > some bug), the damage it could cause is much less if root squash is > enabled. Why doesn't chmod o+x solve the problem for you? PS: could you please try to show which parts of the message you're answering, and not just include the entire previous message? -- brukergrensesnitt n1 1. skille som avskj?rer brukeren fra ? bruke en gjenstand, ofte en datamaskin. 2. fastsatt og uforanderlig bilde av hvordan en datamaskin kreves brukt. 3. uspiselig abstraksjon over menneskers utilstrekkelighet. From Ondrej.Valousek at s3group.com Mon Oct 3 13:13:29 2016 From: Ondrej.Valousek at s3group.com (Ondrej Valousek) Date: Mon, 3 Oct 2016 11:13:29 +0000 Subject: [mpm-itk] Problem with directory listing In-Reply-To: References: <20160930150208.GA38922@sesse.net> <1504452b-f522-4b29-060a-5650d4b3ee74@bachsau.net> <143e5f2e-ef56-6d83-ac17-3d413294aabe@bachsau.net> Message-ID: > Why doesn't chmod o+x solve the problem for you? I am not saying it would not solve the problem. It would, I am only not willing to do it this way as it is security problem. And besides, it is ugly solution as well. Ideally (as I said) we should mask core_map_to_storage() hook so that apache is not complaining. The aim is that apache follows user restriction on the filesystem. ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. From maeh86 at gmail.com Mon Oct 3 20:59:12 2016 From: maeh86 at gmail.com (Markus Ehrlicher) Date: Mon, 3 Oct 2016 20:59:12 +0200 Subject: [mpm-itk] a2query doesn't work Message-ID: Hi togehter, I have a Ubuntu 14.04.5 Webserver with mpm_itk enabled. I wanted to install php5.6 with the help of the PPA from Ondrej Sury ( https://launchpad.net/~ondrej/+archive/ubuntu/php), but during the installation of libapache2-mod-php5.6, the installer stopped because of a problem of a2query. I made this "upgrade" from php5.5 to php5.6 in the past on several other servers, but now, on every server I test, q2query brings the same error, whatever, the server is already upgraded to php5.6 or not. To localize the problem, I deactivated mpm_itk (a2dismod) and a2query worked well. When I reactivated mpm_itk, a2query crashed again. Here are my Console-Output: root at testserver:~# a2query -M usage: fail($reason, $retval) at /usr/sbin/a2query line 168. root at testserver:~# a2dismod mpm_itk Module mpm_itk disabled. To activate the new configuration, you need to run: service apache2 restart root at testserver:~# a2query -M prefork root at testserver:~# a2enmod mpm_itk Considering dependency mpm_prefork for mpm_itk: Considering conflict mpm_event for mpm_prefork: Considering conflict mpm_worker for mpm_prefork: Module mpm_prefork already enabled Enabling module mpm_itk. To activate the new configuration, you need to run: service apache2 restart root at testserver:~# a2query -M usage: fail($reason, $retval) at /usr/sbin/a2query line 168. Can someone confirm this problem and (better) help, to repair it? best regards, Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at bachsau.net Tue Oct 4 15:17:19 2016 From: info at bachsau.net (Bachsau Network) Date: Tue, 4 Oct 2016 15:17:19 +0200 Subject: [mpm-itk] a2query doesn't work In-Reply-To: References: Message-ID: Am 03.10.16 um 20:59 schrieb Markus Ehrlicher: > I have a Ubuntu 14.04.5 Webserver with mpm_itk enabled. I wanted to > install php5.6 with the help of the PPA from Ondrej Sury > (https://launchpad.net/~ondrej/+archive/ubuntu/php > ) Mabye you should contact the owner of that PPA, as his package is obviously not compatible with the distribution he created it for. In addition to this, a2query is a debian specific command, which is not part of official apache httpd packages. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4076 bytes Desc: S/MIME Cryptographic Signature URL: From maeh86 at gmail.com Wed Oct 5 10:30:42 2016 From: maeh86 at gmail.com (Markus Ehrlicher) Date: Wed, 5 Oct 2016 10:30:42 +0200 Subject: [mpm-itk] a2query doesn't work In-Reply-To: References: Message-ID: What has this problem to with the owner of the PPA for php5.6, when it appears, even if php5.6 ist installed or not? a2query won't work in every cases, when mpm-itk is enabled in Apache. a2query is official included in Ubuntu 14.04 LTS ( http://manpages.ubuntu.com/manpages/trusty/man1/a2query.1.html), so for me, this is not Debian specific. 2016-10-04 15:17 GMT+02:00 Bachsau Network : > Am 03.10.16 um 20:59 schrieb Markus Ehrlicher: > >> I have a Ubuntu 14.04.5 Webserver with mpm_itk enabled. I wanted to >> install php5.6 with the help of the PPA from Ondrej Sury >> (https://launchpad.net/~ondrej/+archive/ubuntu/php >> ) >> > > Mabye you should contact the owner of that PPA, as his package is > obviously not compatible with the distribution he created it for. In > addition to this, a2query is a debian specific command, which is not part > of official apache httpd packages. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at bachsau.net Wed Oct 5 10:37:48 2016 From: info at bachsau.net (Bachsau Network) Date: Wed, 5 Oct 2016 10:37:48 +0200 Subject: [mpm-itk] a2query doesn't work In-Reply-To: References: Message-ID: <74BB67F7-7B52-4A83-8101-C236E9BD48DE@bachsau.net> > > Am 05.10.2016 um 10:30 schrieb Markus Ehrlicher : > > a2query is official included in Ubuntu 14.04 LTS (http://manpages.ubuntu.com/manpages/trusty/man1/a2query.1.html), so for me, this is not Debian specific. Ubuntu is based on debian. -------------- next part -------------- An HTML attachment was scrubbed... URL: