Changeset 2422 for branches/fc19-dev
- Timestamp:
- May 29, 2013, 1:13:40 AM (12 years ago)
- Location:
- branches/fc19-dev/server
- Files:
- 
          - 2 added
- 6 deleted
- 3 edited
 
 - 
          common/patches/httpd-2.2.x-304.patch (deleted)
- 
          common/patches/httpd-2.2.x-log-docroot.patch (deleted)
- 
          common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch (deleted)
- 
          common/patches/httpd-2.2.x-mod_status-security.patch (deleted)
- 
          common/patches/httpd-304s.patch (added)
- 
          common/patches/httpd-SSLCompression.patch (deleted)
- 
          common/patches/httpd-fixup-vhost.patch (modified) (3 diffs)
- 
          common/patches/httpd-mod_status-security.patch (added)
- 
          common/patches/httpd-suexec-cloexec.patch (deleted)
- 
          common/patches/httpd-suexec-scripts.patch (modified) (16 diffs)
- 
          fedora/specs/httpd.spec.patch (modified) (4 diffs)
 
Legend:
- Unmodified
- Added
- Removed
- 
        branches/fc19-dev/server/common/patches/httpd-fixup-vhost.patchr1602 r2422 1 commit 3b081163d6250d893838d69d9a83f217c341d657 2 Author: Greg Brockman <gdb@mit.edu> 3 Date: Fri Aug 6 23:19:15 2010 -0400 1 From 2e62dad3d91280032b2130f02553c968d306edf5 Mon Sep 17 00:00:00 2001 2 From: Alexander Chernyakhovsky <achernya@mit.edu> 3 Date: Fri, 3 May 2013 22:43:28 -0400 4 Subject: [PATCH 4/4] Export method to fixup a single virtual host 4 5 5 Add method to merge virtual host with a main server_rec 6 Apache normally provides ap_fixup_virtual_hosts, which merges the 7 configuration from the main server into each virtual host. Refactor 8 this code to allow merging the configuration into a single virtual 9 host, and export this method for use in mod_vhost_ldap. 10 11 Additionally, call the newly created method in the loop in 12 ap_fixup_virtual_hosts. 13 --- 14 include/http_config.h | 9 ++++++++ 15 server/config.c | 58 +++++++++++++++++++++++++++---------------------- 16 2 files changed, 41 insertions(+), 26 deletions(-) 6 17 7 18 diff --git a/include/http_config.h b/include/http_config.h 8 index 5e9fd51..8e6f24710064419 index 7ee3760..e3657ea 100644 9 20 --- a/include/http_config.h 10 21 +++ b/include/http_config.h 11 @@ -827,6 +827,16 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); 12 AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, 22 @@ -1012,6 +1012,15 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); 23 */ 24 AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, 13 25 server_rec *main_server); 14 15 26 +/** 16 + * Setup a single virtual host by merging the main server_rec into it.27 + * Setup all virtual hosts 17 28 + * @param p The pool to allocate from 18 + * @param main_server The server_rec with which to merge19 + * @param virt The virtual host server_rec with some set of directives to override already set29 + * @param main_server The head of the server_rec list 30 + * @param virt The individual virtual host to fix 20 31 + */ 21 32 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, 22 33 + server_rec *main_server, 23 34 + server_rec *virt); 24 +25 /* For http_request.c... */26 35 27 36 /** 37 * Reserve some modules slots for modules loaded by other means than 28 38 diff --git a/server/config.c b/server/config.c 29 index 101d0e4..ef0f2ba10064439 index bc0804a..488954d 100644 30 40 --- a/server/config.c 31 41 +++ b/server/config.c 32 @@ -1902,38 +1902,43 @@ AP_CORE_DECLARE(const char *) ap_init_virtual_host(apr_pool_t *p, 42 @@ -2246,46 +2246,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf, 43 } 33 44 } 34 35 45 36 46 -AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) 37 47 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, server_rec *main_server, 38 + 48 + server_rec *virt) 39 49 { 40 50 - server_rec *virt; 41 + merge_server_configs(p, main_server->module_config, 42 + virt->module_config); 51 core_dir_config *dconf = 52 ap_get_core_module_config(main_server->lookup_defaults); 53 dconf->log = &main_server->log; 43 54 44 55 - for (virt = main_server->next; virt; virt = virt->next) { 45 56 - merge_server_configs(p, main_server->module_config, 46 57 - virt->module_config); 47 + virt->lookup_defaults = 48 + ap_merge_per_dir_configs(p, main_server->lookup_defaults, 49 + virt->lookup_defaults); 58 + merge_server_configs(p, main_server->module_config, 59 + virt->module_config); 50 60 51 61 - virt->lookup_defaults = 52 62 - ap_merge_per_dir_configs(p, main_server->lookup_defaults, 53 63 - virt->lookup_defaults); 54 + if (virt->server_admin == NULL) 55 + virt->server_admin = main_server->server_admin; 64 + virt->lookup_defaults = 65 + ap_merge_per_dir_configs(p, main_server->lookup_defaults, 66 + virt->lookup_defaults); 56 67 57 68 - if (virt->server_admin == NULL) 58 69 - virt->server_admin = main_server->server_admin; 59 + if (virt-> timeout == 0)60 + virt->timeout = main_server->timeout;70 + if (virt->server_admin == NULL) 71 + virt->server_admin = main_server->server_admin; 61 72 62 73 - if (virt->timeout == 0) 63 74 - virt->timeout = main_server->timeout; 64 + if (virt-> keep_alive_timeout == 0)65 + virt->keep_alive_timeout = main_server->keep_alive_timeout;75 + if (virt->timeout == 0) 76 + virt->timeout = main_server->timeout; 66 77 67 78 - if (virt->keep_alive_timeout == 0) 68 79 - virt->keep_alive_timeout = main_server->keep_alive_timeout; 69 + if (virt->keep_alive == -1)70 + virt->keep_alive = main_server->keep_alive;80 + if (virt->keep_alive_timeout == 0) 81 + virt->keep_alive_timeout = main_server->keep_alive_timeout; 71 82 72 83 - if (virt->keep_alive == -1) 73 84 - virt->keep_alive = main_server->keep_alive; 74 + if (virt->keep_alive _max== -1)75 + virt->keep_alive_max = main_server->keep_alive_max;85 + if (virt->keep_alive == -1) 86 + virt->keep_alive = main_server->keep_alive; 76 87 77 88 - if (virt->keep_alive_max == -1) 78 89 - virt->keep_alive_max = main_server->keep_alive_max; 79 + /* XXX: this is really something that should be dealt with by a 80 + * post-config api phase 81 + */ 82 + ap_core_reorder_directories(p, virt); 83 +} 90 + if (virt->keep_alive_max == -1) 91 + virt->keep_alive_max = main_server->keep_alive_max; 92 93 - ap_merge_log_config(&main_server->log, &virt->log); 94 + ap_merge_log_config(&main_server->log, &virt->log); 95 96 - dconf = ap_get_core_module_config(virt->lookup_defaults); 97 - dconf->log = &virt->log; 98 + dconf = ap_get_core_module_config(virt->lookup_defaults); 99 + dconf->log = &virt->log; 84 100 85 101 - /* XXX: this is really something that should be dealt with by a … … 88 104 - ap_core_reorder_directories(p, virt); 89 105 - } 106 + /* XXX: this is really something that should be dealt with by a 107 + * post-config api phase 108 + */ 109 + ap_core_reorder_directories(p, virt); 110 +} 111 + 90 112 +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) 91 113 +{ 92 114 + server_rec *virt; 93 + 115 + 94 116 + for (virt = main_server->next; virt; virt = virt->next) 95 117 + ap_fixup_virtual_host(p, main_server, virt); … … 97 119 ap_core_reorder_directories(p, main_server); 98 120 } 121 -- 122 1.7.9.6 (Apple Git-31.1) 123 
- 
        branches/fc19-dev/server/common/patches/httpd-suexec-scripts.patchr2186 r2422 1 # scripts.mit.edu httpd suexec patch 2 # Copyright (C) 2006, 2007, 2008 Jeff Arnold <jbarnold@mit.edu>, 3 # Joe Presbrey <presbrey@mit.edu>, 4 # Anders Kaseorg <andersk@mit.edu>, 5 # Geoffrey Thomas <geofft@mit.edu> 6 # 7 # This program is free software; you can redistribute it and/or 8 # modify it under the terms of the GNU General Public License 9 # as published by the Free Software Foundation; either version 2 10 # of the License, or (at your option) any later version. 11 # 12 # This program is distributed in the hope that it will be useful, 13 # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 # GNU General Public License for more details. 16 # 17 # You should have received a copy of the GNU General Public License 18 # along with this program; if not, write to the Free Software 19 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 20 # 21 # See /COPYRIGHT in this repository for more information. 22 # 23 --- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400 24 +++ httpd-2.2.2/support/Makefile.in 2007-01-20 17:12:51.000000000 -0500 25 @@ -60,7 +60,7 @@ 26 27 suexec_OBJECTS = suexec.lo 28 suexec: $(suexec_OBJECTS) 29 - $(LINK) $(suexec_OBJECTS) 30 + $(LINK) -lselinux $(suexec_OBJECTS) 31 32 htcacheclean_OBJECTS = htcacheclean.lo 33 htcacheclean: $(htcacheclean_OBJECTS) 34 --- httpd-2.2.2/configure.in.old 2007-07-17 10:48:25.000000000 -0400 35 +++ httpd-2.2.2/configure.in 2008-08-29 08:15:41.000000000 -0400 36 @@ -559,6 +559,10 @@ 1 From 8445788d68230b2e18739166f4c3ae6434038421 Mon Sep 17 00:00:00 2001 2 From: Alexander Chernyakhovsky <achernya@mit.edu> 3 Date: Fri, 3 May 2013 21:38:58 -0400 4 Subject: [PATCH 1/4] Add scripts-specific support to suexec 5 6 This patch make suexec aware of static-cat, Scripts' tool to serve 7 static content out of AFS. Specifically, this introduces a whitelist 8 of extensions for which suexec is supposed to invoke static-cat as a 9 content-handler. 10 11 Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM 12 to start up in Scripts' limited memory environment. 13 14 Furthermore, this patch deals with some of suexec's paranoia being 15 incorrect in an AFS world, by ignoring some of the irrelevant stat 16 results. 17 18 Finally, add support for invoking php-cgi for php files, in a safe 19 manner that will strip arguments passed by Apache to php-cgi. 20 --- 21 configure.in | 4 ++ 22 support/suexec.c | 172 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 23 2 files changed, 173 insertions(+), 3 deletions(-) 24 25 diff --git a/configure.in b/configure.in 26 index d93f78c..14faccf 100644 27 --- a/configure.in 28 +++ b/configure.in 29 @@ -720,6 +720,10 @@ AC_ARG_WITH(suexec-userdir, 37 30 APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[ 38 31 AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] ) … … 45 38 APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ 46 39 AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) 47 --- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 48 +++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 40 diff --git a/support/suexec.c b/support/suexec.c 41 index 5b6b254..e377042 100644 42 --- a/support/suexec.c 43 +++ b/support/suexec.c 49 44 @@ -30,6 +30,9 @@ 50 45 * … … 57 52 #include "ap_config.h" 58 53 #include "suexec.h" 59 @@ -46,6 +49,7 @@ 60 #include <stdio.h> 61 #include <stdarg.h> 62 #include <stdlib.h> 63 +#include <selinux/selinux.h> 64 65 #ifdef HAVE_PWD_H 66 #include <pwd.h> 67 @@ -95,6 +99,7 @@ 54 @@ -92,6 +95,7 @@ static const char *const safe_env_lst[] = 68 55 { 69 56 /* variable name starts with */ … … 73 60 74 61 /* variable name is */ 75 @@ -2 45,9 +250,108 @@62 @@ -264,9 +268,108 @@ static void clean_env(void) 76 63 environ = cleanenv; 77 64 } … … 182 169 gid_t gid; /* target group placeholder */ 183 170 char *target_uname; /* target user name */ 184 @@ -2 68,6 +368,7 @@171 @@ -286,6 +389,7 @@ int main(int argc, char *argv[]) 185 172 * Start with a "clean" environment 186 173 */ … … 188 175 + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ 189 176 190 prog = argv[0];191 /*192 @@ -3 50,6 +451,20 @@177 /* 178 * Check existence/validity of the UID of the user 179 @@ -369,6 +473,20 @@ int main(int argc, char *argv[]) 193 180 #endif /*_OSD_POSIX*/ 194 181 … … 211 198 * or attempts to back up out of the current directory, 212 199 * to protect against attacks. If any are 213 @@ -3 71,6 +486,7 @@200 @@ -390,6 +508,7 @@ int main(int argc, char *argv[]) 214 201 userdir = 1; 215 202 } … … 219 206 * Error out if the target username is invalid. 220 207 */ 221 @@ -4 52,7 +568,7 @@208 @@ -471,7 +590,7 @@ int main(int argc, char *argv[]) 222 209 * Error out if attempt is made to execute as root or as 223 210 * a UID less than AP_UID_MIN. Tsk tsk. … … 225 212 - if ((uid == 0) || (uid < AP_UID_MIN)) { 226 213 + if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup */ 227 log_err("cannot run as forbidden uid (% d/%s)\n",uid, cmd);214 log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); 228 215 exit(107); 229 216 } 230 @@ - 484,6 +599,7 @@231 log_err("failed to setuid (%l d: %s)\n",uid, cmd);217 @@ -503,6 +622,7 @@ int main(int argc, char *argv[]) 218 log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); 232 219 exit(110); 233 220 } … … 236 223 /* 237 224 * Get the current working directory, as well as the proper 238 @@ -5 06,6 +637,21 @@225 @@ -525,6 +645,21 @@ int main(int argc, char *argv[]) 239 226 log_err("cannot get docroot information (%s)\n", target_homedir); 240 227 exit(112); … … 258 245 else { 259 246 if (((chdir(AP_DOC_ROOT)) != 0) || 260 @@ -5 32,15 +678,17 @@247 @@ -551,15 +686,17 @@ int main(int argc, char *argv[]) 261 248 /* 262 249 * Error out if cwd is writable by others. … … 277 264 exit(117); 278 265 } 279 @@ -5 48,10 +696,12 @@266 @@ -567,10 +704,12 @@ int main(int argc, char *argv[]) 280 267 /* 281 268 * Error out if the program is writable by others. … … 290 277 /* 291 278 * Error out if the file is setuid or setgid. 292 @@ -5 65,6 +715,7 @@279 @@ -584,6 +723,7 @@ int main(int argc, char *argv[]) 293 280 * Error out if the target name/group is different from 294 281 * the name/group of the cwd or the program. … … 298 285 (gid != dir_info.st_gid) || 299 286 (uid != prg_info.st_uid) || 300 @@ -5 76,12 +727,14 @@301 prg_info.st_uid,prg_info.st_gid);287 @@ -595,12 +735,14 @@ int main(int argc, char *argv[]) 288 (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); 302 289 exit(120); 303 290 } … … 314 301 exit(121); 315 302 } 316 @@ -6 14,6 +767,30 @@303 @@ -649,6 +791,30 @@ int main(int argc, char *argv[]) 317 304 /* 318 305 * Execute the command, replacing our image with its own. … … 345 332 /* We need the #! emulation when we want to execute scripts */ 346 333 { 334 -- 335 1.7.9.6 (Apple Git-31.1) 336 
- 
        branches/fc19-dev/server/fedora/specs/httpd.spec.patchr2377 r2422 1 --- /tmp/httpd/httpd.spec.orig 2013-02-14 17:53:29.967176396 -05002 +++ /tmp/httpd/httpd.spec 2013-02-14 17:54:57.172521444 -05003 @@ - 9,7 +9,7 @@1 --- httpd.spec.orig 2013-05-29 00:46:07.522169507 -0400 2 +++ httpd.spec 2013-05-29 00:46:37.905169507 -0400 3 @@ -14,7 +14,7 @@ 4 4 Summary: Apache HTTP Server 5 5 Name: httpd 6 Version: 2. 2.237 -Release: 1%{?dist}8 +Release: 1%{?dist}.scripts.%{scriptsversion}6 Version: 2.4.4 7 -Release: 4%{?dist} 8 +Release: 4%{?dist}.scripts.%{scriptsversion} 9 9 URL: http://httpd.apache.org/ 10 10 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 11 11 Source1: index.html 12 @@ - 57,6 +57,15@@12 @@ -79,6 +79,12 @@ 13 13 Requires(postun): systemd-units 14 14 Requires(post): systemd-units 15 15 16 16 +Provides: scripts-httpd = %{version}-%{release} 17 +Patch1000: httpd-suexec-scripts.patch 18 +Patch1003: httpd-2.2.x-mod_status-security.patch 19 +Patch1004: httpd-2.2.x-304.patch 20 +Patch1005: httpd-2.2.x-mod_ssl-sessioncaching.patch 21 +Patch1006: httpd-suexec-cloexec.patch 22 +Patch1007: httpd-fixup-vhost.patch 23 +Patch1008: httpd-SSLCompression.patch 17 +Patch1001: httpd-suexec-scripts.patch 18 +Patch1002: httpd-mod_status-security.patch 19 +Patch1003: httpd-304s.patch 20 +Patch1004: httpd-fixup-vhost.patch 24 21 + 25 22 %description 26 23 The Apache HTTP Server is a powerful, efficient, and extensible 27 24 web server. 28 @@ - 67,6 +76,7 @@25 @@ -89,6 +95,7 @@ 29 26 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel 30 27 Requires: apr-devel, apr-util-devel, pkgconfig … … 34 31 %description devel 35 32 The httpd-devel package contains the APXS binary and other files 36 @@ -1 05,6 +115,7 @@33 @@ -127,6 +134,7 @@ 37 34 Requires(post): openssl, /bin/cat 38 35 Requires(pre): httpd … … 42 39 43 40 %description -n mod_ssl 44 @@ -1 31,6 +142,14@@45 # P atch in vendor/release string46 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p141 @@ -189,6 +197,11 @@ 42 # Prevent use of setcap in "install-suexec-caps" target. 43 sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in 47 44 48 +%patch1000 -p1 -b .scripts 49 +%patch1003 -p1 -b .permitstatus 50 +%patch1004 -p1 -b .scripts-304 51 +%patch1005 -p1 -b .ssl-sessioncache 52 +%patch1006 -p1 -b .cloexec 53 +%patch1007 -p1 -b .fixup-vhost 54 +%patch1008 -p1 -b .sslcompression 45 +%patch1001 -p1 -b .suexec-scripts 46 +%patch1002 -p1 -b .mod_status-security 47 +%patch1003 -p1 -b .scripts-304s 48 +%patch1004 -p1 -b .fixup-vhost 55 49 + 56 50 # Safety check: prevent build if defined MMN does not equal upstream MMN. 57 51 vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` 58 52 if test "x${vmmn}" != "x%{mmn}"; then 59 @@ -191,10 +210,12 @@ 60 --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ 53 @@ -235,11 +248,13 @@ 61 54 --enable-suexec --with-suexec \ 55 --enable-suexec-capabilities \ 62 56 --with-suexec-caller=%{suexec_caller} \ 63 - --with-suexec-docroot=%{contentdir} \ 57 - --with-suexec-docroot=%{docroot} \ 58 - --without-suexec-logfile \ 59 - --with-suexec-syslog \ 64 60 + --with-suexec-docroot=/ \ 65 61 + --with-suexec-userdir=web_scripts \ 66 62 + --with-suexec-trusteddir=/usr/libexec/scripts-trusted \ 67 --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ 63 + --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ 64 + --without-suexec-syslog \ 68 65 --with-suexec-bin=%{_sbindir}/suexec \ 69 66 - --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ … … 71 68 --enable-pie \ 72 69 --with-pcre \ 73 $*70 --enable-mods-shared=all \ 
Note: See TracChangeset
          for help on using the changeset viewer.
      
