Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package lighttpd for openSUSE:Factory
checked in at 2025-06-23 15:00:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lighttpd (Old)
and /work/SRC/openSUSE:Factory/.lighttpd.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lighttpd"
Mon Jun 23 15:00:33 2025 rev:69 rq:1287253 version:1.4.79
Changes:
--------
--- /work/SRC/openSUSE:Factory/lighttpd/lighttpd.changes 2025-03-26
21:23:52.395635529 +0100
+++ /work/SRC/openSUSE:Factory/.lighttpd.new.7067/lighttpd.changes
2025-06-23 15:00:34.990073276 +0200
@@ -1,0 +2,8 @@
+Sun May 18 18:33:42 UTC 2025 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- update to 1.4.79:
+ * bug fix for mod_openssl using both ECDSA and RSA certs
+ * hardened systemd lighttpd.service
+- drop harden_lighttpd.service.patch
+
+-------------------------------------------------------------------
@@ -1240 +1247,0 @@
-Mon Oct 31 12:35:41 UTC 2016 - stbueh...@web.de
@@ -1241,0 +1249 @@
+Mon Oct 31 12:35:41 UTC 2016 - stbueh...@web.de
Old:
----
harden_lighttpd.service.patch
lighttpd-1.4.78.tar.xz
lighttpd-1.4.78.tar.xz.asc
New:
----
lighttpd-1.4.79.tar.xz
lighttpd-1.4.79.tar.xz.asc
----------(Old B)----------
Old: * hardened systemd lighttpd.service
- drop harden_lighttpd.service.patch
----------(Old E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lighttpd.spec ++++++
--- /var/tmp/diff_new_pack.G4cGCK/_old 2025-06-23 15:00:37.006156698 +0200
+++ /var/tmp/diff_new_pack.G4cGCK/_new 2025-06-23 15:00:37.022157360 +0200
@@ -27,7 +27,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: lighttpd
-Version: 1.4.78
+Version: 1.4.79
Release: 0
Summary: A Secure, Fast, Compliant, and Very Flexible Web Server
License: BSD-3-Clause
@@ -38,7 +38,6 @@
Source2: %{name}.sysconfig
Source3: %{name}.keyring
Source7: lighttpd.logrotate
-Patch0: harden_lighttpd.service.patch
BuildRequires: autoconf
BuildRequires: iputils
BuildRequires: libtool
@@ -295,6 +294,7 @@
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/auth.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/cgi.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/debug.conf
+%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/deflate.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/dirlisting.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/evhost.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/expire.conf
@@ -306,9 +306,9 @@
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/simple_vhost.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/ssi.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/status.conf
+%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/tls.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/userdir.conf
%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/vhosts.d/vhosts.template
-%config(noreplace) %attr(640,root,%{name})
%{_sysconfdir}/%{name}/conf.d/deflate.conf
# modules
%license COPYING
++++++ lighttpd-1.4.78.tar.xz -> lighttpd-1.4.79.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/.github/workflows/ci.yml
new/lighttpd-1.4.79/.github/workflows/ci.yml
--- old/lighttpd-1.4.78/.github/workflows/ci.yml 2025-03-22
20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/.github/workflows/ci.yml 2025-04-04
07:28:20.000000000 +0200
@@ -241,28 +241,23 @@
- uses: actions/checkout@v4
- uses: cygwin/cygwin-install-action@master
with:
+ install-dir: D:\cygwin
+ allow-test-packages: true
packages: >
autoconf automake libtool m4 make
cmake meson ninja scons
gcc-g++ git pkgconf perl
libpcre2-devel
- libnettle-devel gnutls-devel mbedtls-devel libnss-devel
libssl-devel
+ libnettle-devel
+ libgnutls-devel mbedtls-devel libnss-devel libssl-devel
libbrotli-devel libdeflate-devel zlib-devel libzstd-devel
libsasl2-devel libkrb5-devel libdbi-devel openldap-devel
libmariadb-devel libpq-devel
libmaxminddb-devel libunwind-devel lua-devel lua5.1-devel
libxml2-devel libsqlite3-devel
libintl-devel
- - name: Update
- shell: powershell
- run: |
- #
(https://github.com/cygwin/cygwin-install-action/blob/master/action.yml)
- Invoke-WebRequest https://cygwin.com/setup-x86_64.exe -OutFile
C:\setup.exe
- # because setup is a Windows GUI app, make it part of a pipeline to
make
- # PowerShell wait for it to exit
- & C:\setup.exe -qgnO -t | Out-Default
- name: Compile and Test
- shell: C:\cygwin\bin\bash.exe --noprofile --norc -o igncr -eo pipefail
'{0}'
+ shell: D:\cygwin\bin\bash.exe --noprofile --norc -o igncr -eo pipefail
'{0}'
run: |
set -e
export PATH=/usr/bin:$(cygpath ${SYSTEMROOT})/system32
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/CMakeLists.txt
new/lighttpd-1.4.79/CMakeLists.txt
--- old/lighttpd-1.4.78/CMakeLists.txt 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/CMakeLists.txt 2025-04-04 07:28:20.000000000 +0200
@@ -1,6 +1,6 @@
cmake_minimum_required(VERSION 3.7.0 FATAL_ERROR)
-project(lighttpd VERSION 1.4.78 LANGUAGES C)
+project(lighttpd VERSION 1.4.79 LANGUAGES C)
# use C11 with CMake >= 3.1
set(CMAKE_C_STANDARD 11)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/NEWS new/lighttpd-1.4.79/NEWS
--- old/lighttpd-1.4.78/NEWS 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/NEWS 2025-04-04 07:28:20.000000000 +0200
@@ -3,6 +3,27 @@
NEWS
====
+- 1.4.79 - 2025-04-04
+ * [ci] update deps pkg names for lighttpd on Cygwin
+ * [ci] MSYS detection kludge in tests/LightyTest.pm
+ * [autotools] spelling Couldn't => Could not
+ * [mod_openssl] revert SSL_CTX default cert assign
+ * [mod_openssl] spelling in comment
+ * [TLS] issue trace if unable to check/refresh cert
+ * [ci] Cygwin Invoke-WebRequest -MaximumRetryCount 3
+ * [ci] Cygwin prefer D:\ drive
+ * [ci] Cygwin remove redundant call to setup.exe
+ * [core] set server.max-fds = 4096 if not specified
+ * [core] clear Linux ambient capabilities, if any
+ * [core] rename remove_pid_file() -> server_pid_file_remove()
+ * [core] retry pidfile open on Linux
+ * [doc] systemd lighttpd.service hardening
+ * [doc] move TLS config to separate file tls.conf
+ * [doc] systemd lighttpd.service hardening addition
+ * [doc] systemd lighttpd*.socket activation examples
+ * [core] default listen() backlog to SOMAXCONN
+ * [ci] fix meson build execution selection
+
- 1.4.78 - 2025-03-22
* [core] comment about _WIN32 security dangers
* [core] allow POST w/o Content-Length for HTTP/2 (#3273)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/SConstruct
new/lighttpd-1.4.79/SConstruct
--- old/lighttpd-1.4.78/SConstruct 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/SConstruct 2025-04-04 07:28:20.000000000 +0200
@@ -12,7 +12,7 @@
string_types = str
package = 'lighttpd'
-version = '1.4.78'
+version = '1.4.79'
underscorify_reg = re.compile('[^A-Z0-9]')
def underscorify(id):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/configure.ac
new/lighttpd-1.4.79/configure.ac
--- old/lighttpd-1.4.78/configure.ac 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/configure.ac 2025-04-04 07:28:20.000000000 +0200
@@ -14,7 +14,7 @@
dnl function call, the argument should be on different lines than the
dnl wrapping braces
AC_PREREQ([2.60])
-AC_INIT([lighttpd],[1.4.78],[https://redmine.lighttpd.net/projects/lighttpd/boards/2],[lighttpd],[https://www.lighttpd.net/])
+AC_INIT([lighttpd],[1.4.79],[https://redmine.lighttpd.net/projects/lighttpd/boards/2],[lighttpd],[https://www.lighttpd.net/])
AC_CONFIG_SRCDIR([src/server.c])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@@ -1323,7 +1323,7 @@
fi
PKG_CHECK_MODULES([LUA], [$WITH_LUA >= $lua_min_ver],
[found_lua=1],
- [AC_MSG_NOTICE([Couldn\'t find requested lua pkg-config module
$WITH_LUA])]
+ [AC_MSG_NOTICE([Could not find requested lua pkg-config module
$WITH_LUA])]
)
if test "$found_lua" = "0"; then
LUA_LIBS="-L$WITH_LUA -llua"
@@ -1334,12 +1334,12 @@
if test "$found_lua" = "0"; then
PKG_CHECK_MODULES([LUA], [$luaname >= 5.1],
[found_lua=1],
- [AC_MSG_NOTICE([Couldn\'t find $luaname])]
+ [AC_MSG_NOTICE([Could not find $luaname])]
)
fi
done
if test "$found_lua" = "0"; then
- AC_MSG_ERROR([Couldn\'t find any lua pkg-config module])
+ AC_MSG_ERROR([Could not find any lua pkg-config module])
fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/config/conf.d/Makefile.am
new/lighttpd-1.4.79/doc/config/conf.d/Makefile.am
--- old/lighttpd-1.4.78/doc/config/conf.d/Makefile.am 2025-03-22
20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/doc/config/conf.d/Makefile.am 2025-04-04
07:28:20.000000000 +0200
@@ -16,5 +16,6 @@
simple_vhost.conf \
ssi.conf \
status.conf \
+ tls.conf \
userdir.conf \
webdav.conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/config/conf.d/tls.conf
new/lighttpd-1.4.79/doc/config/conf.d/tls.conf
--- old/lighttpd-1.4.78/doc/config/conf.d/tls.conf 1970-01-01
01:00:00.000000000 +0100
+++ new/lighttpd-1.4.79/doc/config/conf.d/tls.conf 2025-04-04
07:28:20.000000000 +0200
@@ -0,0 +1,37 @@
+#######################################################################
+##
+## TLS Support
+## -------------
+##
+## https://wiki.lighttpd.net/Docs_SSL
+##
+## To enable TLS, choose *one* of the lighttpd TLS/SSL modules, provide
+## a valid certificate, and enable ssl.engine on listening address(es).
+##
+server.modules += ( "mod_openssl" )
+#server.modules += ( "mod_gnutls" )
+#server.modules += ( "mod_mbedtls" )
+#server.modules += ( "mod_wolfssl" )
+#server.modules += ( "mod_nss" )
+
+## ssl.pemfile should contain the sorted certificate chain, including
+## intermediate certificates, as provided by the certificate issuer.
+## If both privkey and cert are in same file, specify only ssl.pemfile.
+#ssl.privkey = "/FILL/IN/path/to/privkey.pem"
+#ssl.pemfile = "/FILL/IN/path/to/fullchain.pem"
+
+## lighttpd TLS defaults are strict and compatible with modern clients.
+## If your organization requires use of system-managed TLS defaults to
+## override lighttpd TLS defaults, use "CipherString" => "PROFILE=SYSTEM"
+#ssl.openssl.ssl-conf-cmd += ("CipherString" => "PROFILE=SYSTEM")
+
+## enable TLS on specified listening addresses
+#$SERVER["socket"] == "*:443" {
+# ssl.engine = "enable"
+#}
+#$SERVER["socket"] == "[::]:443" {
+# ssl.engine = "enable"
+#}
+
+##
+#######################################################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/config/lighttpd.annotated.conf
new/lighttpd-1.4.79/doc/config/lighttpd.annotated.conf
--- old/lighttpd-1.4.78/doc/config/lighttpd.annotated.conf 2025-03-22
20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/doc/config/lighttpd.annotated.conf 2025-04-04
07:28:20.000000000 +0200
@@ -396,38 +396,6 @@
#######################################################################
##
-## SSL Support
-## -------------
-##
-## https://wiki.lighttpd.net/Docs_SSL
-#
-## To enable SSL for the whole server you have to provide a valid
-## certificate and have to enable the SSL engine.::
-##
-## server.modules += ( "mod_openssl" )
-##
-## ssl.privkey = "/path/to/privkey.pem"
-## ssl.pemfile = "/path/to/fullchain.pem"
-## # ssl.pemfile should contain the sorted certificate chain, including
-## # intermediate certificates, as provided by the certificate issuer.
-## # If both privkey and cert are in same file, specify only ssl.pemfile.
-##
-## # lighttpd TLS defaults are strict and compatible with modern clients.
-## # If your organization requires use of system-managed TLS defaults to
-## # override lighttpd TLS defaults, use "CipherString" => "PROFILE=SYSTEM"
-## #ssl.openssl.ssl-conf-cmd += ("CipherString" => "PROFILE=SYSTEM")
-##
-## $SERVER["socket"] == "*:443" {
-## ssl.engine = "enable"
-## }
-## $SERVER["socket"] == "[::]:443" {
-## ssl.engine = "enable"
-## }
-##
-#######################################################################
-
-#######################################################################
-##
## custom includes like vhosts.
##
#include conf_dir + "/conf.d/config.conf"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/config/modules.conf
new/lighttpd-1.4.79/doc/config/modules.conf
--- old/lighttpd-1.4.78/doc/config/modules.conf 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/doc/config/modules.conf 2025-04-04 07:28:20.000000000
+0200
@@ -50,7 +50,7 @@
## Alphabetizing may break expected functionality. See explanation above.
##
-server.modules = (
+server.modules += (
# "mod_rewrite",
"mod_access",
# "mod_auth",
@@ -69,6 +69,11 @@
##
##
+## TLS/SSL configuration
+##
+#include conf_dir + "/conf.d/tls.conf"
+
+##
## mod_expire
##
#include conf_dir + "/conf.d/expire.conf"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/systemd/Makefile.am
new/lighttpd-1.4.79/doc/systemd/Makefile.am
--- old/lighttpd-1.4.78/doc/systemd/Makefile.am 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/doc/systemd/Makefile.am 2025-04-04 07:28:20.000000000
+0200
@@ -1 +1,6 @@
-EXTRA_DIST=lighttpd.service lighttpd.socket
+EXTRA_DIST= \
+ lighttpd-http-ipv4.socket \
+ lighttpd-http-ipv6.socket \
+ lighttpd-https-ipv4.socket \
+ lighttpd-https-ipv6.socket \
+ lighttpd.service
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lighttpd-1.4.78/doc/systemd/lighttpd-http-ipv4.socket
new/lighttpd-1.4.79/doc/systemd/lighttpd-http-ipv4.socket
--- old/lighttpd-1.4.78/doc/systemd/lighttpd-http-ipv4.socket 1970-01-01
01:00:00.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd-http-ipv4.socket 2025-04-04
07:28:20.000000000 +0200
@@ -0,0 +1,19 @@
+# please note: lighttpd.conf must contain directive:
+# server.systemd-socket-activation = "enable"
+
+[Unit]
+Description=lighttpd http IPv4 socket
+Documentation=man:lighttpd https://wiki.lighttpd.net
+
+[Socket]
+Service=lighttpd.service
+
+# http IPv4
+ListenStream=0.0.0.0:80
+
+NoDelay=true
+BindIPv6Only=ipv6-only
+#FreeBind=true
+
+[Install]
+WantedBy=sockets.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lighttpd-1.4.78/doc/systemd/lighttpd-http-ipv6.socket
new/lighttpd-1.4.79/doc/systemd/lighttpd-http-ipv6.socket
--- old/lighttpd-1.4.78/doc/systemd/lighttpd-http-ipv6.socket 1970-01-01
01:00:00.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd-http-ipv6.socket 2025-04-04
07:28:20.000000000 +0200
@@ -0,0 +1,19 @@
+# please note: lighttpd.conf must contain directive:
+# server.systemd-socket-activation = "enable"
+
+[Unit]
+Description=lighttpd http IPv6 socket
+Documentation=man:lighttpd https://wiki.lighttpd.net
+
+[Socket]
+Service=lighttpd.service
+
+# http IPv6
+ListenStream=[::]:80
+
+NoDelay=true
+BindIPv6Only=ipv6-only
+#FreeBind=true
+
+[Install]
+WantedBy=sockets.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lighttpd-1.4.78/doc/systemd/lighttpd-https-ipv4.socket
new/lighttpd-1.4.79/doc/systemd/lighttpd-https-ipv4.socket
--- old/lighttpd-1.4.78/doc/systemd/lighttpd-https-ipv4.socket 1970-01-01
01:00:00.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd-https-ipv4.socket 2025-04-04
07:28:20.000000000 +0200
@@ -0,0 +1,19 @@
+# please note: lighttpd.conf must contain directive:
+# server.systemd-socket-activation = "enable"
+
+[Unit]
+Description=lighttpd https IPv4 socket
+Documentation=man:lighttpd https://wiki.lighttpd.net
+
+[Socket]
+Service=lighttpd.service
+
+# https IPv4
+ListenStream=0.0.0.0:443
+
+NoDelay=true
+BindIPv6Only=ipv6-only
+#FreeBind=true
+
+[Install]
+WantedBy=sockets.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lighttpd-1.4.78/doc/systemd/lighttpd-https-ipv6.socket
new/lighttpd-1.4.79/doc/systemd/lighttpd-https-ipv6.socket
--- old/lighttpd-1.4.78/doc/systemd/lighttpd-https-ipv6.socket 1970-01-01
01:00:00.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd-https-ipv6.socket 2025-04-04
07:28:20.000000000 +0200
@@ -0,0 +1,19 @@
+# please note: lighttpd.conf must contain directive:
+# server.systemd-socket-activation = "enable"
+
+[Unit]
+Description=lighttpd https IPv6 socket
+Documentation=man:lighttpd https://wiki.lighttpd.net
+
+[Socket]
+Service=lighttpd.service
+
+# https IPv6
+ListenStream=[::]:443
+
+NoDelay=true
+BindIPv6Only=ipv6-only
+#FreeBind=true
+
+[Install]
+WantedBy=sockets.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/systemd/lighttpd.service
new/lighttpd-1.4.79/doc/systemd/lighttpd.service
--- old/lighttpd-1.4.78/doc/systemd/lighttpd.service 2025-03-22
20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd.service 2025-04-04
07:28:20.000000000 +0200
@@ -3,6 +3,12 @@
After=network-online.target
Documentation=man:lighttpd https://wiki.lighttpd.net
+# optional: systemd socket activation for lighttpd
+#Requires=lighttpd-http-ipv4.socket lighttpd-http-ipv6.socket
lighttpd-https-ipv4.socket lighttpd-https-ipv6.socket
+
+[Install]
+WantedBy=multi-user.target
+
[Service]
Type=simple
PIDFile=/run/lighttpd.pid
@@ -12,5 +18,68 @@
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
-[Install]
-WantedBy=multi-user.target
+# increase num files soft limit; 1024 harkens back to select() limit
+# (lighttpd.conf must still be configured with `server.max-fds`; default 4096)
+LimitNOFILE=32768:524288
+
+#
+# system capabilities hardening
+#
+
+# (comment all out if running lighttpd as root to manage system, e.g. via LuCI)
+
+# Recommended configuration: have systemd start lighttpd as unprivileged user.
+# Note: starting lighttpd as unprivileged user requires TLS certificates to be
+# readable by the unprivileged user and will fail for existing configurations
+# where that is not currently the case. For that scenario and for similar
+# compatibility reasons, this is not yet enabled by default.
+#User=lighttpd
+#Group=lighttpd
+
+# Allow unprivileged lighttpd to bind,listen to ports < 1024 (i.e. 80 and 443).
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# Recommended configuration: strictly limit capabilities
+# Limit capabilities, including for children and privileged processes, e.g.
root
+# CAP_NET_BIND_SERVICE allows bind() to ports < 1024 (i.e. 80 and 443).
+# CAP_SETGID, CAP_SETUID, and CAP_SYS_CHROOT are self explanatory.
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
CAP_SYS_CHROOT
+# If not starting lighttpd as root, minimal capability to bind to ports < 1024:
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Using systemd socket activation, even CAP_NET_BIND_SERVICE is not necessary
+# and could be removed from AmbientCapabilities and CapabilityBoundingSet.
+# Requires lighttpd.conf: server.systemd-socket-activation = "enable"
+# Requires installation, configuration, enabling of systemd lighttpd*.socket
+# Requires the 'Requires' in the [Unit] section at top of this file.
+# See /usr/share/doc/lighttpd/examples/lighttpd*.socket or lighttpd source tree
+# https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/doc/systemd/
+
+# Note: PrivateTmp=yes
+# could break backends if named socket from independent daemon is located
+# in /tmp; must relocate lighttpd.conf socket paths to e.g. /run/lighttpd
+# Note: ProtectHome=read-only
+# could break CGI scripts or WebDAV writing to home paths
+# Note: RestrictSUIDSGID=yes
+# could break CGI scripts or WebDAV setting suid/sgid permission bit on files
+
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=full
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/doc/systemd/lighttpd.socket
new/lighttpd-1.4.79/doc/systemd/lighttpd.socket
--- old/lighttpd-1.4.78/doc/systemd/lighttpd.socket 2025-03-22
20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/doc/systemd/lighttpd.socket 1970-01-01
01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-# please note: lighttpd.conf must contain directive:
-# server.systemd-socket-activation = "enable"
-
-[Unit]
-Description=lighttpd socket
-Documentation=man:lighttpd https://wiki.lighttpd.net
-
-[Socket]
-# Enable listening on http port
-ListenStream=80
-# To enable listening on https port, lighttpd config needs SSL setup
-# https://wiki.lighttpd.net/Docs_SSL
-#ListenStream=443
-Service=lighttpd.service
-
-[Install]
-WantedBy=sockets.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/meson.build
new/lighttpd-1.4.79/meson.build
--- old/lighttpd-1.4.78/meson.build 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/meson.build 2025-04-04 07:28:20.000000000 +0200
@@ -1,7 +1,7 @@
project(
'lighttpd',
'c',
- version: '1.4.78',
+ version: '1.4.79',
license: 'BSD-3-Clause',
default_options: [
'buildtype=debugoptimized',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/scripts/ci-build.sh
new/lighttpd-1.4.79/scripts/ci-build.sh
--- old/lighttpd-1.4.78/scripts/ci-build.sh 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/scripts/ci-build.sh 2025-04-04 07:28:20.000000000
+0200
@@ -159,13 +159,13 @@
build
cd build
case "${build}" in
- "autobuild")
- meson compile --verbose
+ "meson")
+ meson compile -j 4 --verbose
meson test --verbose
;;
"coverity")
[ -z "${COVERITY_PATH}" ] || export PATH="${COVERITY_PATH}"
- cov-build --dir "../cov-int" -- meson compile --verbose
+ cov-build --dir "../cov-int" -- meson compile -j 4 --verbose
;;
esac
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/gw_backend.c
new/lighttpd-1.4.79/src/gw_backend.c
--- old/lighttpd-1.4.78/src/gw_backend.c 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/gw_backend.c 2025-04-04 07:28:20.000000000
+0200
@@ -1391,7 +1391,7 @@
host->break_scriptfilename_for_php = 0;
host->kill_signal = SIGTERM;
host->fix_root_path_name = 0;
- host->listen_backlog = 1024;
+ host->listen_backlog = SOMAXCONN > 1024 ? SOMAXCONN : 1024;
host->xsendfile_allow = 0;
host->refcount = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_cgi.c
new/lighttpd-1.4.79/src/mod_cgi.c
--- old/lighttpd-1.4.78/src/mod_cgi.c 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/src/mod_cgi.c 2025-04-04 07:28:20.000000000 +0200
@@ -46,6 +46,7 @@
#endif
#if defined(_WIN32)
buffer *cygvol;
+ buffer *msystem;
#endif
} env_accum;
@@ -136,6 +137,8 @@
if (s) buffer_copy_string((p->env.systemroot = buffer_init()), s);
#endif
#if defined(_WIN32)
+ s = getenv("MSYSTEM");
+ if (s) buffer_copy_string((p->env.msystem = buffer_init()), s);
s = getenv("CYGVOL");
if (s) buffer_copy_string((p->env.cygvol = buffer_init()), s);
#endif
@@ -153,6 +156,7 @@
#endif
#if defined(_WIN32)
buffer_free(p->env.cygvol);
+ buffer_free(p->env.msystem);
#endif
for (cgi_pid_t *cgi_pid = p->cgi_pid, *next; cgi_pid; cgi_pid = next) {
@@ -911,6 +915,11 @@
cgi_env_add(env, CONST_STR_LEN("SYSTEMROOT"),
BUF_PTR_LEN(p->env.systemroot));
}
#endif
+ #if defined(_WIN32)
+ if (p->env.msystem) {
+ cgi_env_add(env, CONST_STR_LEN("MSYSTEM"),
BUF_PTR_LEN(p->env.msystem));
+ }
+ #endif
/* adjust (uintptr_t) offsets to (char *) ptr
* (stored as offsets while accumulating in buffer,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_gnutls.c
new/lighttpd-1.4.79/src/mod_gnutls.c
--- old/lighttpd-1.4.78/src/mod_gnutls.c 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/mod_gnutls.c 2025-04-04 07:28:20.000000000
+0200
@@ -3361,6 +3361,18 @@
}
+__attribute_cold__
+static int
+mod_gnutls_refresh_plugin_cert_fail (server * const srv, plugin_cert * const
pc)
+{
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "GnuTLS: unable to check/refresh cert key; "
+ "continuing to use already-loaded %s",
+ pc->ssl_privkey->ptr);
+ return 0;
+}
+
+
static int
mod_gnutls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
{
@@ -3388,7 +3400,8 @@
* update privkey last, after pem file (and OCSP stapling file) */
struct stat st;
if (0 != stat(pc->ssl_privkey->ptr, &st))
- return 0; /* ignore if stat() error; keep using existing crt/pk */
+ return mod_gnutls_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if stat() error; keep using existing crt/pk */
if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
return 0; /* mtime match; no change */
@@ -3396,7 +3409,8 @@
network_gnutls_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
pc->ssl_stapling_file);
if (NULL == npc)
- return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+ return mod_gnutls_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if crt/pk error; keep using existing crt/pk */
/*(future: if threaded, only one thread should update pcs)*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_mbedtls.c
new/lighttpd-1.4.79/src/mod_mbedtls.c
--- old/lighttpd-1.4.78/src/mod_mbedtls.c 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/mod_mbedtls.c 2025-04-04 07:28:20.000000000
+0200
@@ -2985,6 +2985,18 @@
}
+__attribute_cold__
+static int
+mod_mbedtls_refresh_plugin_cert_fail (server * const srv, plugin_cert * const
pc)
+{
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "MTLS: unable to check/refresh cert key; "
+ "continuing to use already-loaded %s",
+ pc->ssl_privkey->ptr);
+ return 0;
+}
+
+
static int
mod_mbedtls_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
{
@@ -3012,14 +3024,16 @@
* update privkey last, after pem file (and OCSP stapling file) */
struct stat st;
if (0 != stat(pc->ssl_privkey->ptr, &st))
- return 0; /* ignore if stat() error; keep using existing crt/pk */
+ return mod_mbedtls_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if stat() error; keep using existing crt/pk */
if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
return 0; /* mtime match; no change */
plugin_cert *npc =
network_mbedtls_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey);
if (NULL == npc)
- return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+ return mod_mbedtls_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if crt/pk error; keep using existing crt/pk */
/*(future: if threaded, only one thread should update pcs)*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_nss.c
new/lighttpd-1.4.79/src/mod_nss.c
--- old/lighttpd-1.4.78/src/mod_nss.c 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/src/mod_nss.c 2025-04-04 07:28:20.000000000 +0200
@@ -2885,6 +2885,18 @@
}
+__attribute_cold__
+static int
+mod_nss_refresh_plugin_cert_fail (server * const srv, plugin_cert * const pc)
+{
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "NSS: unable to check/refresh cert key; "
+ "continuing to use already-loaded %s",
+ pc->ssl_privkey->ptr);
+ return 0;
+}
+
+
static int
mod_nss_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
{
@@ -2912,7 +2924,8 @@
* update privkey last, after pem file (and OCSP stapling file) */
struct stat st;
if (0 != stat(pc->ssl_privkey->ptr, &st))
- return 0; /* ignore if stat() error; keep using existing crt/pk */
+ return mod_nss_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if stat() error; keep using existing crt/pk */
if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
return 0; /* mtime match; no change */
@@ -2920,7 +2933,8 @@
network_nss_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
pc->ssl_stapling_file);
if (NULL == npc)
- return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+ return mod_nss_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if crt/pk error; keep using existing crt/pk */
/*(future: if threaded, only one thread should update pcs)*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_openssl.c
new/lighttpd-1.4.79/src/mod_openssl.c
--- old/lighttpd-1.4.78/src/mod_openssl.c 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/mod_openssl.c 2025-04-04 07:28:20.000000000
+0200
@@ -1949,12 +1949,15 @@
return 0;
}
+ #if 0 /* disabled due to openssl quirks selecting incorrect certificate */
/* reuse cert chain/privkey assigned to ssl_ctx where cert matches */
if (hctx->ssl_ctx_pc
&& buffer_is_equal(hctx->ssl_ctx_pc->ssl_pemfile, pc->ssl_pemfile)) {
hctx->kp = mod_openssl_kp_acq(hctx->ssl_ctx_pc);
}
- else {
+ else
+ #endif
+ {
hctx->kp = mod_openssl_kp_acq(pc);
#if OPENSSL_VERSION_NUMBER >= 0x10002000 \
@@ -3535,7 +3538,8 @@
}
}
- #endif /* OPENSSL_VERSION_NUMBER < 0x10002000 */
+ /* only for OPENSSL_VERSION_NUMBER < 0x10002000
+ * due to openssl SSL_CTX and SSL cert selection with ECDSA and RSA */
if (1 != mod_openssl_SSL_CTX_use_cert_and_key(s->ssl_ctx,
s->pc, s->pc->kp)) {
@@ -3545,6 +3549,8 @@
return -1;
}
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10002000 */
+
#if defined(BORINGSSL_API_VERSION)
#define SSL_CTX_set_default_read_ahead(ctx,m) \
SSL_CTX_set_read_ahead(ctx,m)
@@ -5022,12 +5028,29 @@
mod_openssl_kp_rel(s->kp);
s->kp = mod_openssl_kp_acq(s->pc);
+ #if 0 /* disabled due to openssl quirks selecting incorrect certificate */
if (1 != mod_openssl_SSL_CTX_use_cert_and_key(s->ssl_ctx, s->pc, s->kp)) {
log_error(srv->errh, __FILE__, __LINE__,
"SSL: %s %s %s", ERR_error_string(ERR_get_error(), NULL),
s->pc->ssl_pemfile->ptr, s->pc->ssl_privkey->ptr);
/* no recovery until admin fixes input files */
}
+ #else
+ UNUSED(mod_openssl_SSL_CTX_use_cert_and_key);
+ UNUSED(srv);
+ #endif
+}
+
+
+__attribute_cold__
+static int
+mod_openssl_refresh_plugin_cert_fail (server * const srv, plugin_cert * const
pc)
+{
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "SSL: unable to check/refresh cert key; "
+ "continuing to use already-loaded %s",
+ pc->ssl_privkey->ptr);
+ return 0;
}
@@ -5058,7 +5081,8 @@
* update privkey last, after pem file (and OCSP stapling file) */
struct stat st;
if (0 != stat(pc->ssl_privkey->ptr, &st))
- return 0; /* ignore if stat() error; keep using existing crt/pk */
+ return mod_openssl_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if stat() error; keep using existing crt/pk */
if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
return 0; /* mtime match; no change */
@@ -5066,7 +5090,8 @@
network_openssl_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
pc->ssl_stapling_file);
if (NULL == npc)
- return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+ return mod_openssl_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if crt/pk error; keep using existing crt/pk */
/*(future: if threaded, only one thread should update pcs)*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/mod_wolfssl.c
new/lighttpd-1.4.79/src/mod_wolfssl.c
--- old/lighttpd-1.4.78/src/mod_wolfssl.c 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/mod_wolfssl.c 2025-04-04 07:28:20.000000000
+0200
@@ -3795,6 +3795,18 @@
}
+__attribute_cold__
+static int
+mod_wolfssl_refresh_plugin_cert_fail (server * const srv, plugin_cert * const
pc)
+{
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "SSL: unable to check/refresh cert key; "
+ "continuing to use already-loaded %s",
+ pc->ssl_privkey->ptr);
+ return 0;
+}
+
+
static int
mod_wolfssl_refresh_plugin_cert (server * const srv, plugin_cert * const pc)
{
@@ -3822,7 +3834,8 @@
* update privkey last, after pem file (and OCSP stapling file) */
struct stat st;
if (0 != stat(pc->ssl_privkey->ptr, &st))
- return 0; /* ignore if stat() error; keep using existing crt/pk */
+ return mod_wolfssl_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if stat() error; keep using existing crt/pk */
if (TIME64_CAST(st.st_mtime) <= pc->pkey_ts)
return 0; /* mtime match; no change */
@@ -3830,7 +3843,8 @@
network_openssl_load_pemfile(srv, pc->ssl_pemfile, pc->ssl_privkey,
pc->ssl_stapling_file);
if (NULL == npc)
- return 0; /* ignore if crt/pk error; keep using existing crt/pk */
+ return mod_wolfssl_refresh_plugin_cert_fail(srv, pc);
+ /* ignore if crt/pk error; keep using existing crt/pk */
/*(future: if threaded, only one thread should update pcs)*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/network.c
new/lighttpd-1.4.79/src/network.c
--- old/lighttpd-1.4.78/src/network.c 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/src/network.c 2025-04-04 07:28:20.000000000 +0200
@@ -861,7 +861,7 @@
if (!config_plugin_values_init(srv, p, cpk, "network"))
return HANDLER_ERROR;
- p->defaults.listen_backlog = 1024;
+ p->defaults.listen_backlog = SOMAXCONN > 1024 ? SOMAXCONN : 1024;
p->defaults.defer_accept = 0;
p->defaults.use_ipv6 = 0;
p->defaults.set_v6only = 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/server.c
new/lighttpd-1.4.79/src/server.c
--- old/lighttpd-1.4.78/src/server.c 2025-03-22 20:40:18.000000000 +0100
+++ new/lighttpd-1.4.79/src/server.c 2025-04-04 07:28:20.000000000 +0200
@@ -582,7 +582,7 @@
__attribute_cold__
__attribute_noinline__
-static void remove_pid_file(server *srv) {
+static void server_pid_file_remove(server *srv) {
if (pid_fd <= -2) return;
if (srv->srvconf.pid_file && 0 <= pid_fd) {
if (0 != ftruncate(pid_fd, 0)) {
@@ -604,6 +604,43 @@
}
}
+__attribute_cold__
+static int server_pid_file_open(server * const srv, int i_am_root) {
+ if (NULL == srv->srvconf.pid_file)
+ return 0;
+ const char * const pidfile = srv->srvconf.pid_file->ptr;
+
+ pid_fd = fdevent_open_cloexec(pidfile, 0, O_WRONLY | O_CREAT | O_EXCL |
O_TRUNC,
+ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ if (-1 != pid_fd)
+ return 0;
+
+ #ifdef __linux__
+ if (errno == EACCES
+ && i_am_root && srv->srvconf.username && !srv->srvconf.changeroot)
+ /* root without CAP_DAC_OVERRIDE capability
+ * and pidfile owned by target user */
+ return 0;
+ #else
+ UNUSED(i_am_root);
+ #endif
+
+ struct stat st;
+ if (errno != EEXIST
+ || 0 != stat(pidfile, &st)
+ || !S_ISREG(st.st_mode)
+ || (pid_fd =
+ fdevent_open_cloexec(pidfile, 0,
+ O_WRONLY | O_CREAT | O_TRUNC,
+ S_IRUSR | S_IWUSR | S_IRGRP |
S_IROTH))==-1){
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "opening pid-file failed: %s", pidfile);
+ return -1;
+ }
+
+ return 0;
+}
+
__attribute_cold__
static server_socket * server_oneshot_getsock(server *srv, sock_addr
*cnt_addr) {
@@ -1244,7 +1281,7 @@
}
else {
server_sockets_close(srv);
- remove_pid_file(srv);
+ server_pid_file_remove(srv);
/*(prevent more removal attempts)*/
srv->srvconf.pid_file = NULL;
}
@@ -1692,34 +1729,8 @@
/* open pid file BEFORE chroot */
if (-2 == pid_fd) pid_fd = -1; /*(initial startup state)*/
- if (-1 == pid_fd && srv->srvconf.pid_file) {
- const char *pidfile = srv->srvconf.pid_file->ptr;
- if (-1 == (pid_fd = fdevent_open_cloexec(pidfile, 0, O_WRONLY |
O_CREAT | O_EXCL | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH))) {
- struct stat st;
- if (errno != EEXIST) {
- log_perror(srv->errh, __FILE__, __LINE__,
- "opening pid-file failed: %s", pidfile);
- return -1;
- }
-
- if (0 != stat(pidfile, &st)) {
- log_perror(srv->errh, __FILE__, __LINE__,
- "stating existing pid-file failed: %s",
pidfile);
- }
-
- if (!S_ISREG(st.st_mode)) {
- log_error(srv->errh, __FILE__, __LINE__,
- "pid-file exists and isn't regular file: %s",
pidfile);
- return -1;
- }
-
- if (-1 == (pid_fd = fdevent_open_cloexec(pidfile, 0,
O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH))) {
- log_perror(srv->errh, __FILE__, __LINE__,
- "opening pid-file failed: %s", pidfile);
- return -1;
- }
- }
- }
+ if (-1 == pid_fd && 0 != server_pid_file_open(srv, i_am_root))
+ return -1;
{
#ifdef HAVE_GETRLIMIT
@@ -1733,17 +1744,22 @@
log_perror(srv->errh, __FILE__, __LINE__,
"getrlimit()");
use_rlimit = 0;
}
+ else if (0 == srv->srvconf.max_fds) {
+ /*(default upper limit of 4k if server.max-fds not
specified)*/
+ /*(and if existing rlim_max >= 4096, whether or not
root)*/
+ if (rlim.rlim_cur < 4096 && rlim.rlim_max >= 4096)
+ srv->srvconf.max_fds = 4096;
+ }
+ else if (i_am_root)
+ rlim.rlim_max = srv->srvconf.max_fds;
- /**
- * if we are not root can can't increase the fd-limit above
rlim_max, but we can reduce it
- */
if (use_rlimit && srv->srvconf.max_fds
&& (i_am_root || srv->srvconf.max_fds <= rlim.rlim_max)) {
/* set rlimits */
+ /* root can increase fd-limit above rlim_max, others
can only reduce it */
rlim_t rlim_cur = rlim.rlim_cur;
rlim.rlim_cur = srv->srvconf.max_fds;
- if (i_am_root) rlim.rlim_max = srv->srvconf.max_fds;
if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) {
log_perror(srv->errh, __FILE__, __LINE__,
"setrlimit()");
@@ -1887,6 +1903,21 @@
#endif
}
+#if defined(HAVE_SYS_PRCTL_H) && defined(PR_CAP_AMBIENT)
+ /* clear Linux ambient capabilities, if any had been granted
+ * (avoid leaking privileges to CGI or other subprocesses) */
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0L, 0L, 0L) < 0) {
+ log_perror(srv->errh, __FILE__, __LINE__,
+ "prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
+ return -1;
+ }
+#endif
+
+#ifdef __linux__ /*(might occur w/ root on Linux and w/ limited Capabilities)*/
+ if (-1 == pid_fd && 0 != server_pid_file_open(srv, 0))
+ return -1;
+#endif
+
#ifdef HAVE_FORK
/* network is up, let's daemonize ourself */
if (0 == srv->srvconf.dont_daemonize && 0 == graceful_restart) {
@@ -2349,7 +2380,7 @@
/* clean-up */
chunkqueue_internal_pipes(0);
- remove_pid_file(srv);
+ server_pid_file_remove(srv);
config_log_error_close(srv);
#ifdef _WIN32
fdevent_win32_cleanup();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/src/sys-socket.h
new/lighttpd-1.4.79/src/sys-socket.h
--- old/lighttpd-1.4.78/src/sys-socket.h 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/src/sys-socket.h 2025-04-04 07:28:20.000000000
+0200
@@ -40,6 +40,9 @@
#ifndef UNIX_PATH_MAX
#define UNIX_PATH_MAX 108
#endif
+#ifndef SOMAXCONN
+#define SOMAXCONN 1024
+#endif
/* for solaris 2.5 and NetBSD 1.3.x */
#ifndef HAVE_SOCKLEN_T
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/tests/LightyTest.pm
new/lighttpd-1.4.79/tests/LightyTest.pm
--- old/lighttpd-1.4.78/tests/LightyTest.pm 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/tests/LightyTest.pm 2025-04-04 07:28:20.000000000
+0200
@@ -49,7 +49,8 @@
# ($^O eq "MSWin32") is untested; not supported
$self->{"win32native"} = $^O eq "cygwin"
&& 0 != system("ldd '$$self{LIGHTTPD_PATH}' |
grep -q cygwin");
- if ($^O eq "msys" && 0 != system("ldd '$$self{LIGHTTPD_PATH}' | grep -q
msys-")) {
+ if (($^O eq "msys" || ($^O eq "cygwin" && exists $ENV{MSYSTEM}))
+ && 0 != system("ldd '$$self{LIGHTTPD_PATH}' | grep -q msys-")) {
$self->{"win32native"} = 1;
# Note: msys2 mingw cross compile/link hangs if
MSYS_NO_PATHCONV is set,
# so scope setting MSYS_NO_PATHCONV here for running tests
@@ -119,7 +120,7 @@
chomp($winpid);
close($WH);
}
- my $msys = ($^O eq "msys");
+ my $msys = ($^O eq "msys" || ($^O eq "cygwin" && exists
$ENV{MSYSTEM}));
my $taskkill = $msys ?
"/c/Windows/System32/taskkill.exe" :
"/cygdrive/c/windows/system32/taskkill.exe";
if ($winpid) {
system($taskkill, '/F', '/T', '/PID', $winpid);
@@ -222,7 +223,7 @@
$conf = cygpath_alm($conf);
$modules_path = cygpath_alm($modules_path);
- my $msys = ($^O eq "msys");
+ my $msys = ($^O eq "msys" || ($^O eq "cygwin" && exists
$ENV{MSYSTEM}));
$ENV{CYGROOT} = cygpath_alm("/", 1);
$ENV{CYGVOL} = $ENV{CYGROOT} =~ m%^([a-z]):%i
? $msys ? "/$1" : "/cygdrive/$1"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lighttpd-1.4.78/tests/docroot/cgi.pl
new/lighttpd-1.4.79/tests/docroot/cgi.pl
--- old/lighttpd-1.4.78/tests/docroot/cgi.pl 2025-03-22 20:40:18.000000000
+0100
+++ new/lighttpd-1.4.79/tests/docroot/cgi.pl 2025-04-04 07:28:20.000000000
+0200
@@ -41,7 +41,8 @@
my $path = $prefix . Cwd::getcwd() . "/index.txt";
# (alternative: run cygpath command, if available, on cygwin or msys2)
$path = substr($path, length($prefix)+2)
- if ($^O eq "msys" && uc($ENV{MSYSTEM} || "") ne "MSYS");
+ if (($^O eq "msys" && uc($ENV{MSYSTEM} || "") ne "MSYS")
+ || ($^O eq "cygwin" && exists $ENV{MSYSTEM}));
$path =~ s#([^\w./-])#"%".unpack("H2",$1)#eg;
print "Status: 200\r\n";
