You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2011/02/14 21:18:20 UTC
svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Author: trawick
Date: Mon Feb 14 20:18:20 2011
New Revision: 1070639
URL: http://svn.apache.org/viewvc?rev=1070639&view=rev
Log:
backport from trunk r1033519:
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On).
Submitted by: trawick
Reviewed by: covener, wrowe
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml
httpd/httpd/branches/2.2.x/os/unix/unixd.c
httpd/httpd/branches/2.2.x/os/unix/unixd.h
httpd/httpd/branches/2.2.x/server/core.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Feb 14 20:18:20 2011
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.18
+ *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
+ binary (Suexec Off), or force startup failure if suEXEC is required
+ but not supported (Suexec On). [Jeff Trawick]
+
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Feb 14 20:18:20 2011
@@ -90,18 +90,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * suEXEC: Add Suexec directive to disable suEXEC without renaming the
- binary (Suexec Off), or force startup failure if suEXEC is required
- but not supported (Suexec On).
- Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1033519
- Simpler 2.2.x patch: http://people.apache.org/~trawick/suexec-2.2.txt
- (unlike trunk, a) doesn't cause startup to fail if SuexecUserGroup
- coded but suEXEC disabled, and b) doesn't add field to unixd structure
- with reason string for why suEXEC is disabled)
- Plz consider where doc for directive should go. Patch has it in core, as
- enabling/disabling the basic capability is not split out into mod_unixd 2.2.x.
- +1: trawick, covener, wrowe
-
* mod_authn_file: Log friendly error message if AuthUserFile is not set.
Trunk version of patch:
http://svn.apache.org/viewcvs.cgi?rev=1070096&view=rev
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml Mon Feb 14 20:18:20 2011
@@ -3257,6 +3257,23 @@ server</description>
</directivesynopsis>
<directivesynopsis>
+<name>Suexec</name>
+<description>Enable or disable the suEXEC feature</description>
+<syntax>Suexec On|Off</syntax>
+<default>On if suexec binary exists with proper owner and mode,
+Off otherwise</default>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in Apache httpd 2.2.18 and later</compatibility>
+
+<usage>
+ <p>When On, startup will fail if the suexec binary doesn't exist
+ or has an invalid owner or file mode.</p>
+ <p>When Off, suEXEC will be disabled even if the suexec binary exists
+ and has a valid owner and file mode.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>TimeOut</name>
<description>Amount of time the server will wait for
certain events before failing a request</description>
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml Mon Feb 14 20:18:20 2011
@@ -63,7 +63,7 @@ later.</compatibility>
</example>
</usage>
-
+<seealso><directive module="core">Suexec</directive></seealso>
</directivesynopsis>
</modulesynopsis>
Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.c?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.c (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.c Mon Feb 14 20:18:20 2011
@@ -237,6 +237,23 @@ AP_DECLARE(const char *) unixd_set_chroo
return NULL;
}
+AP_DECLARE(const char *) unixd_set_suexec(cmd_parms *cmd, void *dummy,
+ int arg)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+
+ if (!unixd_config.suexec_enabled && arg) {
+ return "suEXEC isn't supported; check existence, owner, and "
+ "file mode of " SUEXEC_BIN;
+ }
+
+ unixd_config.suexec_enabled = arg;
+ return NULL;
+}
+
AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
{
apr_finfo_t wrapper;
Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.h?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.h (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.h Mon Feb 14 20:18:20 2011
@@ -90,6 +90,9 @@ AP_DECLARE(void) unixd_set_rlimit(cmd_pa
const char *arg, const char * arg2, int type);
#endif
+AP_DECLARE(const char *) unixd_set_suexec(cmd_parms *cmd, void *dummy,
+ int arg);
+
/**
* One of the functions to set mutex permissions should be called in
* the parent process on platforms that switch identity when the
Modified: httpd/httpd/branches/2.2.x/server/core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core.c?rev=1070639&r1=1070638&r2=1070639&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/core.c (original)
+++ httpd/httpd/branches/2.2.x/server/core.c Mon Feb 14 20:18:20 2011
@@ -3483,6 +3483,10 @@ AP_INIT_TAKE1("EnableExceptionHook", ap_
#endif
AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF,
"'on' (default), 'off' or 'extended' to trace request body content"),
+#ifdef SUEXEC_BIN
+AP_INIT_FLAG("Suexec", unixd_set_suexec, NULL, RSRC_CONF,
+ "Enable or disable suEXEC support"),
+#endif
{ NULL }
};
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/2/2011 7:19 PM, Guenter Knauf wrote:
> Am 03.03.2011 01:46, schrieb William A. Rowe Jr.:
>> On 3/2/2011 5:54 PM, Guenter Knauf wrote:
>>> 2. change to 'if !defined(NETWARE)' in core.c
>>
>> and !WIN32, of course. This seems simplest, it is just 2.0.
> 2.2 you mean?
> k, do we agree that I just fix, or do we need a STATUS proposal with vote?
I don't believe[1] that it's necessary for a formal vote to correct
trunk or branch breakage.
Bill
[1] Speaking as Chair
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 03/03/2011 02:19 AM, Guenter Knauf wrote:
> Am 03.03.2011 01:46, schrieb William A. Rowe Jr.:
>> On 3/2/2011 5:54 PM, Guenter Knauf wrote:
>>> 2. change to 'if !defined(NETWARE)' in core.c
>>
>> and !WIN32, of course. This seems simplest, it is just 2.0.
> 2.2 you mean?
> k, do we agree that I just fix, or do we need a STATUS proposal with vote?
>
> Gün.
>
As I see various approaches here propose the one you like most in STATUS
and I guess a vote can happen fairly quickly.
Regards
Rüdiger
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by Guenter Knauf <fu...@apache.org>.
Am 03.03.2011 02:45, schrieb NormW:
> On 3/03/2011 12:19 PM, Guenter Knauf wrote:
>> Am 03.03.2011 01:46, schrieb William A. Rowe Jr.:
>>> On 3/2/2011 5:54 PM, Guenter Knauf wrote:
>>>> 2. change to 'if !defined(NETWARE)' in core.c
>>>
>>> and !WIN32, of course. This seems simplest, it is just 2.0.
>> 2.2 you mean?
>> k, do we agree that I just fix, or do we need a STATUS proposal with
>> vote?
>>
>> Gün.
> Hi,
> Seems fixing httpd.h would be a better choice than core.c as it makes
> little sense (to me) for it to define SUEXEC_BIN when it is not a
> 'given' for all OS. This would then stop main.c printing it out for
> those platforms that do not have it.
>
>> #ifdef SUEXEC_BIN
>> printf(" -D SUEXEC_BIN=\"" SUEXEC_BIN "\"\n");
>> #endif
agreed.
G.
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by NormW <no...@gknw.net>.
On 3/03/2011 12:19 PM, Guenter Knauf wrote:
> Am 03.03.2011 01:46, schrieb William A. Rowe Jr.:
>> On 3/2/2011 5:54 PM, Guenter Knauf wrote:
>>> 2. change to 'if !defined(NETWARE)' in core.c
>>
>> and !WIN32, of course. This seems simplest, it is just 2.0.
> 2.2 you mean?
> k, do we agree that I just fix, or do we need a STATUS proposal with vote?
>
> Gün.
Hi,
Seems fixing httpd.h would be a better choice than core.c as it makes
little sense (to me) for it to define SUEXEC_BIN when it is not a
'given' for all OS. This would then stop main.c printing it out for
those platforms that do not have it.
> #ifdef SUEXEC_BIN
> printf(" -D SUEXEC_BIN=\"" SUEXEC_BIN "\"\n");
> #endif
Norm
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by Guenter Knauf <fu...@apache.org>.
Am 03.03.2011 01:46, schrieb William A. Rowe Jr.:
> On 3/2/2011 5:54 PM, Guenter Knauf wrote:
>> 2. change to 'if !defined(NETWARE)' in core.c
>
> and !WIN32, of course. This seems simplest, it is just 2.0.
2.2 you mean?
k, do we agree that I just fix, or do we need a STATUS proposal with vote?
Gün.
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/2/2011 5:54 PM, Guenter Knauf wrote:
> 2. change to 'if !defined(NETWARE)' in core.c
and !WIN32, of course. This seems simplest, it is just 2.0.
Re: svn commit: r1070639 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/core.xml docs/manual/mod/mod_suexec.xml os/unix/unixd.c
os/unix/unixd.h server/core.c
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
the backport below is in this form invalid ...
Am 14.02.2011 21:18, schrieb trawick@apache.org:
> Author: trawick
> Date: Mon Feb 14 20:18:20 2011
> New Revision: 1070639
>
> URL: http://svn.apache.org/viewvc?rev=1070639&view=rev
> Log:
> backport from trunk r1033519:
>
> *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
> binary (Suexec Off), or force startup failure if suEXEC is required
> but not supported (Suexec On).
>
> Submitted by: trawick
> Reviewed by: covener, wrowe
>
> Modified:
> httpd/httpd/branches/2.2.x/CHANGES
> httpd/httpd/branches/2.2.x/STATUS
> httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml
> httpd/httpd/branches/2.2.x/docs/manual/mod/mod_suexec.xml
> httpd/httpd/branches/2.2.x/os/unix/unixd.c
> httpd/httpd/branches/2.2.x/os/unix/unixd.h
> httpd/httpd/branches/2.2.x/server/core.c
>
> Modified: httpd/httpd/branches/2.2.x/server/core.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core.c?rev=1070639&r1=1070638&r2=1070639&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/server/core.c (original)
> +++ httpd/httpd/branches/2.2.x/server/core.c Mon Feb 14 20:18:20 2011
> @@ -3483,6 +3483,10 @@ AP_INIT_TAKE1("EnableExceptionHook", ap_
> #endif
> AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF,
> "'on' (default), 'off' or 'extended' to trace request body content"),
> +#ifdef SUEXEC_BIN
> +AP_INIT_FLAG("Suexec", unixd_set_suexec, NULL, RSRC_CONF,
> + "Enable or disable suEXEC support"),
> +#endif
> { NULL }
> };
this one breaks NetWare build:
### mwccnlm Compiler:
# File: server\core.c
# ----------------------
# 3488: { "Suexec", unixd_set_suexec, ((void *) 0), 128, FLAG,
"Enable or disable suEXEC support" }
# Error: ^
# undefined identifier 'unixd_set_suexec'
Errors caused tool to abort.
the ifdef is pretty much useless since we define SUEXEC_BIN
unconditionally for all platforms in httpd.h:
/** The path to the suExec wrapper, can be overridden in Configuration */
#ifndef SUEXEC_BIN
#define SUEXEC_BIN HTTPD_ROOT "/bin/suexec"
#endif
and so I wonder how Win32 might pass this ....
anyway, we need to fix it. What is preferred?
1. move the SUEXEC_BIN define to $platform/os.h (and left undefined for
platforms which doint support suexec)
2. change to 'if !defined(NETWARE)' in core.c
3. move the whole unix stuff into a mod_unixd as it is in trunk (that
would be then another backport I guess)
?
Gün.