You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Philip J Dicke <pj...@psu.edu> on 2009/07/08 20:09:55 UTC
[users@httpd] Windows rotatelogs, cmd.exe permission
Apache 2.2.11
Windows Server 2003 R2 x64
Hello all,
I've searched the archives and only found confirmation of what my problem is,
but no solutions. I am trying to configure apache httpd in such a way that
logs are rotated on a daily basis, and the server is not shut down when doing
so. Currently I am using piped output to the rotatelogs.exe process to do so.
So far so good, right? Not so fast...
I currently have httpd running as a windows service, logging on as a restricted
user called "webserver". That account is very restricted in the folders that
it can read/execute. In order to follow the security policy, the webserver
account needs to be configured so that it cannot access cmd.exe. When httpd
runs on windows and uses piped output to a log file, it creates a named piped
and launches a "shell (cmd.exe)" to run the executable. FAIL!
Windows does not seem to have the "apachectl graceful" command that unix does.
The only solution that I see is to run apache, where it writes straight to a
log file, write a script that shuts down httpd, moves the log file and restarts
httpd. I'd rather not do that, as my server gets a lot of traffic during all
hours of the day. Currently the server is not clustered.
Any solutions? (and don't say move to Linux, I wish I could).
-Phil
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Windows rotatelogs, cmd.exe permission
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Philip J Dicke wrote:
>> Ok; please explain how the process initially has rights to invoke cmd.exe
>> and how these were subtracted after initialization?
> Well it works now b/c the webserver user has access to the cmd.exe. Security
> review revealed that access needs to be removed.
Ok; that's not what your post said... you implied it was restart-related :)
>> syntax "|$pipecmd args" works as today,
>
> AWESOME!!! this is exactly the solution I was looking for! Just tried it and
> seems to be working. I will let you know if there any issues.
Huh? That feature is not implemented yet.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Windows rotatelogs, cmd.exe permission
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Philip J Dicke wrote:
> I currently have httpd running as a windows service, logging on as a restricted
> user called "webserver". That account is very restricted in the folders that
> it can read/execute. In order to follow the security policy, the webserver
> account needs to be configured so that it cannot access cmd.exe. When httpd
> runs on windows and uses piped output to a log file, it creates a named piped
> and launches a "shell (cmd.exe)" to run the executable. FAIL!
Ok; please explain how the process initially has rights to invoke cmd.exe
and how these were subtracted after initialization?
> Windows does not seem to have the "apachectl graceful" command that unix does.
That's right; every service control command 128 is a graceful today, which
is what the ApacheMonitor taskbar-utility issues when you choose 'restart'.
So does httpd.exe -k restart. But Windows OS only knows a hard restart,
stop and then restart the parent.
However the child process lives only one iteration, just as in unix.
The new feature I have worked up uses "||realpipe args" if you want to
absolutely invoke realpipe without a command shell (on win or unix). The
syntax "|$pipecmd args" works as today, sending the pipecmd args to the
command shell.
In 2.3 forward, realpipe will be the default. In 2.2, pipecmd stays the
default as to not disrupt so many people. So offering both syntaxes
should help you with an httpd.conf that will make the transition.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Windows rotatelogs, cmd.exe permission
Posted by Sander Temme <sc...@apache.org>.
On Jul 8, 2009, at 11:09 AM, Philip J Dicke wrote:
> Windows does not seem to have the "apachectl graceful" command that
> unix does.
> The only solution that I see is to run apache, where it writes
> straight to a
> log file, write a script that shuts down httpd, moves the log file
> and restarts
> httpd.
I've had good success using the following approach:
1) move the logfiles(s) to a new name, with a timestamp or whatever
2) Send httpd.exe -n ServiceName -k graceful (wrowe tells us that
restart and graceful are the same thing on Windows)
3) Wait a second, a minute, an hour or whatever you need to make sure
the old httpd child has in fact gone away and has stopped writing to
the open file descriptor of the old logfile.
4) Do what you need to do to the old logfile (compress, explode into
vhosts, analyze, whatever, it's yours now)
The fact that httpd keeps writing to the old logfile ensures that you
don't miss any log entries, and the graceful restart ensures
uninterrupted service. As wrowe says, the service interface only
knows to kill the program under consideration entirely, and then start
it up again. This is obviously too harsh if you expect to keep
serving requests, and fortunately not necessary.
S.
--
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [users@httpd] Windows rotatelogs, cmd.exe permission
Posted by Philip J Dicke <pj...@psu.edu>.
This sounds like the solution until the new "real pipes" solution is
implemented. Thank you all.
On Wed, Jul 8, 2009 02:59 PM Sander Temme <sc...@apache.org> wrote:
>
>
>On Jul 8, 2009, at 11:09 AM, Philip J Dicke wrote:
>
>> Windows does not seem to have the "apachectl graceful" command that
>> unix does.
>> The only solution that I see is to run apache, where it writes
>> straight to a
>> log file, write a script that shuts down httpd, moves the log file
>> and restarts
>> httpd.
>
>
>I've had good success using the following approach:
>
>1) move the logfiles(s) to a new name, with a timestamp or whatever
>2) Send httpd.exe -n ServiceName -k graceful (wrowe tells us that
>restart and graceful are the same thing on Windows)
>3) Wait a second, a minute, an hour or whatever you need to make sure
>the old httpd child has in fact gone away and has stopped writing to
>the open file descriptor of the old logfile.
>4) Do what you need to do to the old logfile (compress, explode into
>vhosts, analyze, whatever, it's yours now)
>
>The fact that httpd keeps writing to the old logfile ensures that you
>don't miss any log entries, and the graceful restart ensures
>uninterrupted service. As wrowe says, the service interface only
>knows to kill the program under consideration entirely, and then start
>it up again. This is obviously too harsh if you expect to keep
>serving requests, and fortunately not necessary.
>
>S.
>
>--
>Sander Temme
>sctemme@apache.org
>PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
>
>
Philip J. Dicke
Penn State ARL
JIATFS Support
pjd130@psu.edu
305-293-5481
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org