Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Kaspar Brand wrote: Making SNI support configurable at runtime also seems a more attractive solution to me - it would basically mean that in ssl_init_ctx(), the SNI callback is not registered unless it's explicitly configured. I would suggest using something like SSLEnableSNI port [port] ... which would be used as a per-server directive (i.e. not within vhosts, only globally) and enable SNI on the specified ports. Attached is a proof of concept for such an "SSLEnableSNI" config directive (for 2.2.x only). Will need more fine-tuning, most likely, but I would appreciate to get feedback whether this is considered a feasible approach - thanks. Kaspar I managed to find some time to experiment with this patch against 2.2.9, and so far so good. It works as advertised. I'm eager to see SNI included in Apache!
[PATCH] mod_session.c
I was experimenting with mod_session a bit and ran into a segfault when
a cgi script sets a cookie with a null value (eg. "key="). Basically
mod_session tries to do a sanity check on the null value by passing it
to ap_unescape_all which is causing the segfault. But, if you look at
the code there's no need for it, the key was removed from the table
because of the null value and the sanity check is in preparation to add
it back to the table. The attached patch fixes mod_session, but perhaps
unescape_url (which ap_unescape_all calls) should verify that the value
passed to it isn't null. I'm not quite sure what it should return
though which is why I didn't bother touching it.
Index: modules/session/mod_session.c
===
--- modules/session/mod_session.c (revision 678110)
+++ modules/session/mod_session.c (working copy)
@@ -364,7 +364,7 @@
if (!val || !*val) {
apr_table_unset(z->entries, key);
}
-if (!ap_unescape_all(key) && !ap_unescape_all(val)) {
+else if (!ap_unescape_all(key) && !ap_unescape_all(val)) {
if (!strcmp(SESSION_EXPIRY, key)) {
z->expiry = (apr_time_t) apr_atoi64(val);
}
Re: svn commit: r667651 - /httpd/httpd/trunk/modules/aaa/mod_authz_core.c
Thanks for the link and description Brad. It makes sense now. Explains why the default config was giving me a 403. The 'Require all denied' was being inherited from the root directory config. Would it be appropriate to add something like the attached patched to httpd.conf.in? Index: docs/conf/httpd.conf.in === --- docs/conf/httpd.conf.in (revision 675831) +++ docs/conf/httpd.conf.in (working copy) @@ -155,6 +155,12 @@ # Require all granted +# +# AuthzMergeRules controls whether this directory inherits +# its parents authorization rules. By turning it 'Off' +# we don't include the parents 'Require all denied` rule. +# +AuthzMergeRules Off #
Re: svn commit: r667651 - /httpd/httpd/trunk/modules/aaa/mod_authz_core.c
I tried to build Apache from trunk tonight and noticed that this patch
broke something. I'm getting a 403 error when trying to browse to a
clean install. I'm by no means an expert here, but I noticed a few
things which are noted below...
[EMAIL PROTECTED] wrote:
Author: bnicholes
Date: Fri Jun 13 13:59:10 2008
New Revision: 667651
URL: http://svn.apache.org/viewvc?rev=667651&view=rev
Log:
Switch the default base authz logic operation to 'AND' rather than 'OR'. This
should allow directory authz rules merging to be more restrictive in
sub-directories
Modified:
httpd/httpd/trunk/modules/aaa/mod_authz_core.c
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=667651&r1=667650&r2=667651&view=diff
==
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Fri Jun 13 13:59:10 2008
@@ -111,13 +111,16 @@
static const char *merge_authz_provider(authz_core_dir_conf *conf,
authz_provider_list *newp);
static void walk_merge_provider_list(apr_pool_t *a, authz_core_dir_conf *conf,
authz_provider_list *providers);
+#define BASE_REQ_STATE AUTHZ_REQSTATE_ALL
+#define BASE_REQ_LEVEL 0
+
static void *create_authz_core_dir_config(apr_pool_t *p, char *dummy)
{
authz_core_dir_conf *conf =
(authz_core_dir_conf *)apr_pcalloc(p, sizeof(authz_core_dir_conf));
-conf->req_state = AUTHZ_REQSTATE_ONE;
-conf->req_state_level = 0;
+conf->req_state = BASE_REQ_STATE;
+conf->req_state_level = BASE_REQ_LEVEL;
conf->merge_rules = 1;
return (void *)conf;
}
Not sure if this was intentional... but the default went from
authz_reqstate_one to authz_reqstate_all. If I change base_req_state to
authz_reqstate_one the 403 disappears, but since I don't know much about
how this is suppose to work it might not be the correct fix.
@@ -180,11 +183,21 @@
/* Walk all of the elements recursively to allow each existing
element to be copied and merged into the final configuration.*/
-if (providers->one_next) {
-walk_merge_provider_list (a, conf, providers->one_next);
+if (BASE_REQ_STATE == AUTHZ_REQSTATE_ONE) {
+if (providers->one_next) {
+walk_merge_provider_list (a, conf, providers->one_next);
+}
+if (providers->all_next) {
+walk_merge_provider_list (a, conf, providers->all_next);
+}
}
-if (providers->all_next) {
-walk_merge_provider_list (a, conf, providers->all_next);
+else {
+if (providers->all_next) {
+walk_merge_provider_list (a, conf, providers->all_next);
+}
+if (providers->one_next) {
+walk_merge_provider_list (a, conf, providers->one_next);
+}
}
base_req_state == authz_reqstate_one will always fail. was this
comparison suppose to be conf->req_state == authz_reqstate_one?
return;
@@ -200,18 +213,30 @@
authz_provider_list *last = conf->providers;
int level = conf->req_state_level;
-/* if the level is 0 then take care of the implicit 'or'
+/* if the level is the base level then take care of the implicit
* operation at this level.
*/
-if (level == 0) {
-/* Just run through the Require_one list and add the
- * node
- */
-while (last->one_next) {
-last = last->one_next;
+if (level == BASE_REQ_LEVEL) {
+if (conf->req_state == AUTHZ_REQSTATE_ONE) {
+/* Just run through the Require_one list and add the
+ * node
+ */
+while (last->one_next) {
+last = last->one_next;
+}
+last->one_next = newp;
+}
+else {
+/* Just run through the Require_all list and add the
+ * node
+ */
+while (last->all_next) {
+last = last->all_next;
+}
+last->all_next = newp;
}
-last->one_next = newp;
}
+
/* if the last nodes level is greater than the new nodes
* level, then we need to insert the new node at this
* point. The req_state of the new node determine
Re: mod_authn_mysql
Justin Erenkrantz wrote: --On Friday, February 14, 2003 4:26 PM -0700 David Shane Holden <[EMAIL PROTECTED]> wrote: My problem isn't managing a pool of connections... it's if process A creates the connection, process B can use it with no problem, but if process C tries to use it, it barfs and spikes in a function in libpq, i think it was pgbytes. You can't really share connections across processes. Across threads, perhaps. But, sharing them across processes is asking for trouble. You'd usually be relying upon shmem which is tricky and not really meant for sharing shm-able data structures. (Some custom OS techniques might be available, but they wouldn't be portable.) -- justin It's starting to look that way, but I'm not done with it yet. I can share a connection across threads in the worker mpm with no problem, I've had ab thrash the hell out of it without any problems. But, as you say, the cross process shm stuff is tricky and extremely frustrating. Shane
Re: mod_authn_mysql
Paul Querna wrote: On Fri, 14 Feb 2003 14:52:07 -0700, David Shane Holden wrote Since there seems to be some interest in including a mysql auth module into the tree, here's a postgres module which I've coded and have been using for the past month or so. As for a connection pool... I haven't figured out a way to have postres use a connection opened by another process... it likes spiking the cpu and sitting in some pqbytes function or some shit like that when doing a query on it. https://dpejesh.dnsalias.net/repos/mod_auth_pgsql/trunk/ Shane I am using apr_reslist to implment pooling of Database connections. My problem isn't managing a pool of connections... it's if process A creates the connection, process B can use it with no problem, but if process C tries to use it, it barfs and spikes in a function in libpq, i think it was pgbytes. Shane
Re: mod_authn_mysql
Since there seems to be some interest in including a mysql auth module into the tree, here's a postgres module which I've coded and have been using for the past month or so. As for a connection pool... I haven't figured out a way to have postres use a connection opened by another process... it likes spiking the cpu and sitting in some pqbytes function or some shit like that when doing a query on it. https://dpejesh.dnsalias.net/repos/mod_auth_pgsql/trunk/ Shane
Re: [patch] rfc1413/mod_ident
William A. Rowe, Jr. wrote: If you cvs add the modules, then cvs diff -N you will get those new (and any removed) sources included in the diff output. I tried that, but got a 'write access required' error so I just attached the new files. Shane
[patch] rfc1413/mod_ident
Propagate the rfc1413/mod_ident changes to Windows.
Shane
? modules/metadata/mod_ident.dsp
? modules/metadata/mod_ident.exp
Index: Apache.dsw
===
RCS file: /home/cvspublic/httpd-2.0/Apache.dsw,v
retrieving revision 1.94
diff -u -r1.94 Apache.dsw
--- Apache.dsw 11 Dec 2002 06:13:02 - 1.94
+++ Apache.dsw 19 Jan 2003 06:40:04 -
@@ -1212,6 +1212,27 @@
###
+Project: "mod_ident"=".\modules\metadata\mod_ident.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+Begin Project Dependency
+Project_Dep_Name libapr
+End Project Dependency
+Begin Project Dependency
+Project_Dep_Name libaprutil
+End Project Dependency
+Begin Project Dependency
+Project_Dep_Name libhttpd
+End Project Dependency
+}}}
+
+###
+
Project: "mod_imap"=".\modules\mappers\mod_imap.dsp" - Package Owner=<4>
Package=<5>
Index: Makefile.win
===
RCS file: /home/cvspublic/httpd-2.0/Makefile.win,v
retrieving revision 1.124
diff -u -r1.124 Makefile.win
--- Makefile.win18 Jan 2003 02:26:45 - 1.124
+++ Makefile.win19 Jan 2003 06:40:04 -
@@ -277,6 +277,7 @@
$(MAKE) $(MAKEOPT) -f mod_env.mak CFG="mod_env - Win32 $(LONG)"
RECURSE=0 $(CTARGET)
$(MAKE) $(MAKEOPT) -f mod_expires.mak CFG="mod_expires - Win32 $(LONG)"
RECURSE=0 $(CTARGET)
$(MAKE) $(MAKEOPT) -f mod_headers.mak CFG="mod_headers - Win32 $(LONG)"
RECURSE=0 $(CTARGET)
+$(MAKE) $(MAKEOPT) -f mod_ident.mak CFG="mod_ident - Win32 $(LONG)"
+RECURSE=0 $(CTARGET)
$(MAKE) $(MAKEOPT) -f mod_mime_magic.mak CFG="mod_mime_magic - Win32
$(LONG)" RECURSE=0 $(CTARGET)
$(MAKE) $(MAKEOPT) -f mod_setenvif.makCFG="mod_setenvif - Win32 $(LONG)"
RECURSE=0 $(CTARGET)
$(MAKE) $(MAKEOPT) -f mod_unique_id.mak CFG="mod_unique_id - Win32 $(LONG)"
RECURSE=0 $(CTARGET)
@@ -432,6 +433,7 @@
copy modules\metadata\$(LONG)\mod_env.so "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_expires.so "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_headers.so "$(INSTDIR)\modules" <.y
+ copy modules\metadata\$(LONG)\mod_ident.so "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_mime_magic.so "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_setenvif.so "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_unique_id.so "$(INSTDIR)\modules" <.y
@@ -488,6 +490,7 @@
copy modules\metadata\$(LONG)\mod_env.pdb "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_expires.pdb "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_headers.pdb "$(INSTDIR)\modules" <.y
+ copy modules\metadata\$(LONG)\mod_ident.pdb "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_mime_magic.pdb "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_setenvif.pdb "$(INSTDIR)\modules" <.y
copy modules\metadata\$(LONG)\mod_unique_id.pdb "$(INSTDIR)\modules" <.y
Index: libhttpd.dsp
===
RCS file: /home/cvspublic/httpd-2.0/libhttpd.dsp,v
retrieving revision 1.51
diff -u -r1.51 libhttpd.dsp
--- libhttpd.dsp20 Sep 2002 06:06:41 - 1.51
+++ libhttpd.dsp19 Jan 2003 06:40:04 -
@@ -405,14 +405,6 @@
# End Source File
# Begin Source File
-SOURCE=.\server\rfc1413.c
-# End Source File
-# Begin Source File
-
-SOURCE=.\include\rfc1413.h
-# End Source File
-# Begin Source File
-
SOURCE=.\server\util.c
# End Source File
# Begin Source File
Index: build/nw_export.inc
===
RCS file: /home/cvspublic/httpd-2.0/build/nw_export.inc,v
retrieving revision 1.4
diff -u -r1.4 nw_export.inc
--- build/nw_export.inc 13 Nov 2002 21:14:02 - 1.4
+++ build/nw_export.inc 19 Jan 2003 06:40:04 -
@@ -34,7 +34,6 @@
#include "http_vhost.h"
#include "mpm_common.h"
#include "pcreposix.h"
-#include "rfc1413.h"
#include "scoreboard.h"
#include "util_cfgtree.h"
#include "util_charset.h"
Index: os/win32/BaseAddr.ref
===
RCS file: /home/cvspublic/httpd-2.0/os/win32/BaseAddr.ref,v
retrieving revision 1.23
diff -u -r1.23 BaseAddr.ref
--- os/win32/BaseAddr.ref 1 Dec 2002 23:38:44 - 1.23
+++ os/win32/BaseAddr.ref 19 Jan 2003 06:40:05 -
@@ -63,3 +63,4 @@
mod_logio0x6FAE0x0001
util_ldap0x6FAD0x0001
mod_auth_ldap0x6FAC0x0001
+mod_ident0x6FAB0x0001
ident_module
# Microsoft Developer Studio Project File - Name=
[patch] Makefile.in
Is there any reason why mod_auth.h shouldn't be copied over during a 'make install' for 3rd party auth modules to use? Shane Index: Makefile.in === RCS file: /home/cvspublic/httpd-2.0/Makefile.in,v retrieving revision 1.127 diff -u -r1.127 Makefile.in --- Makefile.in 30 Sep 2002 15:34:40 - 1.127 +++ Makefile.in 10 Jan 2003 03:05:33 - @@ -169,6 +169,7 @@ cp -p $(srcdir)/os/$(OS_DIR)/os-inline.c $(DESTDIR)$(includedir); \ fi; @cp -p $(srcdir)/server/mpm/$(MPM_SUBDIR_NAME)/*.h $(DESTDIR)$(includedir) + @cp -p $(srcdir)/modules/aaa/mod_auth.h $(DESTDIR)$(includedir) @cp -p $(srcdir)/modules/dav/main/mod_dav.h $(DESTDIR)$(includedir) @cp -p $(srcdir)/modules/filters/mod_include.h $(DESTDIR)$(includedir) @cp -p $(srcdir)/modules/generators/mod_cgi.h $(DESTDIR)$(includedir)
Re: CVS, SSH and Windows
Here's the solution I came to after dickin' around for hours with it a few months ago... Install ssh from http://www.networksimplicity.com/openssh/. You _cannot_ have cygwin installed along side this port of openssh. If you want to use key authenication store your private key as c:\program files\networksimplicity\.ssh\id_rsa and follow the standard steps to enable it on the server. The drawback to this method is you're only allowed one private key for the entire box, meaning you cannot have multiple users with their own keys. But that shouldn't be a problem if its your own machine and nobody else touches it. Then you need to get the CVS tarball from cvshome.org. You'll run into a problem compiling the 1.11.2 client on Windows. For some reason a file was left out. Have a look at http://mail.gnu.org/pipermail/info-cvs/2002-April/027542.html, follow the instructions and it should build with no problem, except for the few hundred warnings. :) I'm assuming you're using VC 6 here. The reason I recommend using netsimp's ssh is that it runs as a native windows app. You don't need to fire up cygwin and run ssh from within the shell, which is hella inconvenient. Now if anybody else knows of a Windows ssh client that's open/free and sports key authenication I'd like to hear of it. I haven't tried to use WinCVS, so I'm of no help there, but hopefully this way will help you some. Personally I prefer the command line client over the GUI anyway. Now that I think about it, as long as your key is in the right place and WinCVS uses the right ssh executable it should work with any CVS client. Hopefully I didn't leave anything out, if I did, I apologize, Shane Bill Stoddard wrote: > When you figure it out, please update the developer docs (on > httpd.apache.org/dev/) with the info. > > Bill > > >>-Original Message- >>From: Graham Leggett [mailto:[EMAIL PROTECTED]] >>Sent: Tuesday, September 10, 2002 9:51 AM >>To: [EMAIL PROTECTED] >>Subject: OT: CVS, SSH and Windows >> >> >>Hi all, >> >>I'm asking this here as there are people here who have probably got this >>to work, please mail me privately. >> >>I am trying to get WinCVS to connect to a CVS server via SSH. Both >>myself and another person have independantly followed the available docs >>and howtos, and have got nowhere - SSH insists on asking for a password >>on every connection attempt, and won't cooperate. >> >>What do Windows users here use to access CVS over SSH? Is it possible to >>describe what you did to make it work...? >> >>Regards, >>Graham >>-- >>- >>[EMAIL PROTECTED] "There's a moon >> over Bourbon Street >> tonight..." >> > >
Re: cvs commit: httpd-2.0/docs/conf httpd-nw.conf httpd-std.conf.inhttpd-win.conf
[EMAIL PROTECTED] wrote: > ianh2002/09/03 08:54:46 > > Modified:.CHANGES >docs/conf httpd-nw.conf httpd-std.conf.in httpd-win.conf > Log: > switch x-icon to httpd.conf instead of mime.types Did you mean to leave x-icon in mime.types? Shane
Re: [VOTE] Location of aaa rewrite
[ ] Check in aaa rewrite to 2.0. [x] Check in aaa rewrite to 2.1. Shane
httpd-dist directory descriptions
The .htaccess file isn't setup correctly to display the descriptions of the directories. Shane Index: .htaccess === RCS file: /home/cvspublic/httpd-dist/.htaccess,v retrieving revision 1.78 diff -u -r1.78 .htaccess --- .htaccess 9 Aug 2002 19:31:06 - 1.78 +++ .htaccess 16 Aug 2002 03:02:13 - @@ -33,7 +33,7 @@ AddDescription "List of changes in 1.3" CHANGES_1.3 AddDescription "List of changes in 2.0" CHANGES_2.0 AddDescription "Developer PGP/GPG keys" KEYS -AddDescription "Binary distributions" binaries -AddDescription "Contributed software" contrib -AddDescription "Old source & binaries" old -AddDescription "Official patches" patches +AddDescription "Binary distributions" binaries/ +AddDescription "Contributed software" contrib/ +AddDescription "Old source & binaries" old/ +AddDescription "Official patches" patches/
Re: daedalus is running httpd-2.0.pre40
Greg Ames wrote: > > uhhh, that clobbers httpd.conf, and they'd tar and feather us for sure. But if > we leave out that piece, it's close to what's happening now: I didn't mean overwrite it, I shoulda said 'copy if it doesn't exist'. My bad. > > . make a conf/ directory if it doesn't already exist > . if mime.types or magic don't already exist, copy them > . always copy in *-std.conf (httpd-std.conf and ssl-std.conf for now) with We don't need the -std or the template files... they're useless if you already have a configured and running server. Shane
Re: daedalus is running httpd-2.0.pre40
Ryan Bloom wrote: > > I don't, but I am not going to argue anymore. I will simply say that > the way things work now, I am going to have a bunch of useless files > sitting in the conf/ directory of all of my production machines, because > every time I upgrade Apache, I will get all of the files that I have > deleted before. > > The conf/ directory is mine as a user. An initial installation copies > some default files around, because that is nice for us to do. > Subsequent installations should leave the directory alone, because that > directory is mine. The same way we leave the cgi-bin, htdocs, and error > directories alone. The only thing an upgrade should do, is to touch > binaries and manuals. Everything else is owned by the user. > I agree with Ryan wholeheartedly here. Here's an idea... If conf/ exist, copy httpd.conf, magic, and mime.types (These are basic files that all conf/ should have, right?). If conf/ does not exist, copy everything. Or... If we must pollute conf/ have a configure tag such as '--preserve-conf' which prevents conf/ from being played with at all. I'd like to see conf/ left alone period, just like Apache was doing a week or so ago, but that's just me. Shane
[patch] mpm_winnt.c sleep timer
Here's an updated patch to remove the sleep timer that uses an unnamed event
and sends it to the child process through send_handles_to_child.
Shane
Index: mpm_winnt.c
===
RCS file: /home/cvspublic/httpd-2.0/server/mpm/winnt/mpm_winnt.c,v
retrieving revision 1.287
diff -u -r1.287 mpm_winnt.c
--- mpm_winnt.c 15 Jul 2002 08:05:10 - 1.287
+++ mpm_winnt.c 20 Jul 2002 06:24:47 -
@@ -119,6 +119,7 @@
static HANDLE shutdown_event; /* used to signal the parent to shutdown */
static HANDLE restart_event; /* used to signal the parent to restart */
+static HANDLE ready_event; /* used to signal the parent to duplicate sockets */
static HANDLE exit_event; /* used by parent to signal the child to exit */
static HANDLE max_requests_per_child_event;
@@ -605,6 +606,14 @@
apr_status_t rv;
pipe = GetStdHandle(STD_INPUT_HANDLE);
+if (!ReadFile(pipe, &ready_event, sizeof(HANDLE),
+ &BytesRead, (LPOVERLAPPED) NULL)
+|| (BytesRead != sizeof(HANDLE))) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, apr_get_os_error(), ap_server_conf,
+ "Child %d: Unable to retrieve the ready event from the parent",
+my_pid);
+exit(APEXIT_CHILDINIT);
+}
+
if (!ReadFile(pipe, &exit_event, sizeof(HANDLE),
&BytesRead, (LPOVERLAPPED) NULL)
|| (BytesRead != sizeof(HANDLE))) {
@@ -1467,7 +1476,11 @@
CloseHandle(exit_event);
}
-static int send_handles_to_child(apr_pool_t *p, HANDLE child_exit_event, HANDLE
hProcess, apr_file_t *child_in)
+static int send_handles_to_child(apr_pool_t *p,
+ HANDLE child_ready_event,
+ HANDLE child_exit_event,
+ HANDLE hProcess,
+ apr_file_t *child_in)
{
apr_status_t rv;
HANDLE hScore;
@@ -1475,6 +1488,18 @@
HANDLE hCurrentProcess = GetCurrentProcess();
DWORD BytesWritten;
+if (!DuplicateHandle(hCurrentProcess, child_ready_event, hProcess, &hDup,
+EVENT_MODIFY_STATE | SYNCHRONIZE, FALSE, 0)) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, apr_get_os_error(), ap_server_conf,
+ "Parent: Unable to duplicate the ready event handle for the
+child");
+return -1;
+}
+if ((rv = apr_file_write_full(child_in, &hDup, sizeof(hDup), &BytesWritten))
+!= APR_SUCCESS) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, rv, ap_server_conf,
+ "Parent: Unable to send the exit event handle to the child");
+return -1;
+}
if (!DuplicateHandle(hCurrentProcess, child_exit_event, hProcess, &hDup,
EVENT_MODIFY_STATE | SYNCHRONIZE, FALSE, 0)) {
ap_log_error(APLOG_MARK, APLOG_CRIT, apr_get_os_error(), ap_server_conf,
@@ -1487,7 +1512,6 @@
"Parent: Unable to send the exit event handle to the child");
return -1;
}
-
if ((rv = apr_os_shm_get(&hScore, ap_scoreboard_shm)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_CRIT, rv, ap_server_conf,
"Parent: Unable to retrieve the scoreboard handle for the
child");
@@ -1568,6 +1592,7 @@
apr_file_t *child_err;
apr_proc_t new_child;
HANDLE hExitEvent;
+HANDLE hReadyEvent;
char *cmd;
char *cwd;
@@ -1649,6 +1674,15 @@
}
}
+/* Create the child_ready_event */
+hReadyEvent = CreateEvent (NULL, TRUE, FALSE, NULL);
+if (!hReadyEvent) {
+ap_log_error (APLOG_MARK, APLOG_CRIT, apr_get_os_error (), ap_server_conf,
+ "Parent: Could not create ready event for child process");
+apr_pool_destroy (ptemp);
+return -1;
+}
+
/* Create the child_exit_event */
hExitEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hExitEvent) {
@@ -1687,7 +1721,8 @@
ap_log_error(APLOG_MARK, APLOG_NOTICE, APR_SUCCESS, ap_server_conf,
"Parent: Created child process %d", new_child.pid);
-if (send_handles_to_child(ptemp, hExitEvent, new_child.hproc, new_child.in)) {
+if (send_handles_to_child(ptemp, hReadyEvent, hExitEvent,
+ new_child.hproc, new_child.in)) {
/*
* This error is fatal, mop up the child and move on
* We toggle the child's exit event to cause this child
@@ -1705,10 +1740,8 @@
* We have already set the listening sockets noninheritable, but if
* WSADuplicateSocket runs before the child process initializes
* the listeners will be inherited anyway.
- *
- * XXX: This is badness; needs some mutex interlocking
*/
-Sleep(1000);
+WaitForSingleObject (hReadyEvent, INFINITE);
if (send_listeners_to_child(ptemp, new_child.pid, new_child.in)) {
/*
@@ -2464,6 +2497,8 @@
if (!one_process) {
/* Set up even
Re: [PATCH] Makefile.win
William A. Rowe, Jr. wrote:
>
> Ugh. -1 ... you eliminate the ability for VC5 users to build these
> modules.
> VC5 never supported invoking the IDE from the command line.
>
> No, we don't distribute .mak files from CVS, but any VC5 or VC6 user
> can export the make files after doing one full build from the IDE [you need
> all the files to exist before VC will determine the references correctly.]
I see, I see.
>
> Here is what's left of the patch I applied. The intermingled stuff was
> too much to battle, feel free to submit anything I'd missed, aside from
> eliminating .mak builds.
A few 'silencers'.
Index: Makefile.win
===
RCS file: /home/cvspublic/httpd-2.0/Makefile.win,v
retrieving revision 1.109
diff -u -r1.109 Makefile.win
--- Makefile.win18 Jul 2002 18:57:36 - 1.109
+++ Makefile.win18 Jul 2002 19:26:11 -
@@ -69,7 +69,7 @@
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project mod_ssl
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project abs
!ELSE
- msdev Apache.dsw /USEENV /MAKE \
+ @msdev Apache.dsw /USEENV /MAKE \
"mod_ssl - Win32 $(LONG)" \
"abs - Win32 $(LONG)" /NORECURSE $(CTARGET)
!ENDIF
@@ -96,7 +96,7 @@
!ELSEIF EXIST("Apache.sln")
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project mod_deflate
!ELSE
- msdev Apache.dsw /USEENV /MAKE \
+ @msdev Apache.dsw /USEENV /MAKE \
"mod_deflate - Win32 $(LONG)" /NORECURSE $(CTARGET)
!ENDIF
@@ -152,16 +152,16 @@
cd ..
_apacher:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build
_apached:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build
installr:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build _install
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build _install
installd:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build _install
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build _install
clean: _cleanr _cleand
-if exist Browse\. rd /s Browse < << > nul
[PATCH] Makefile.win
- Cleans up the garbled output.
- Fixes a few grammatical errors and incorrect path information.
- Removes building from .mak files.
Is building browse information from the command line useful?
It doesn't build as it is, and from what I know the only real benefit
of browse info is when it's used in conjunction with the IDE.
Shane
Index: Makefile.win
===
RCS file: /home/cvspublic/httpd-2.0/Makefile.win,v
retrieving revision 1.108
diff -u -r1.108 Makefile.win
--- Makefile.win13 Jul 2002 06:01:10 - 1.108
+++ Makefile.win18 Jul 2002 18:08:42 -
@@ -25,7 +25,7 @@
# so the server root should be given in forward slashes (quoted),
# preferably with the drive designation!
-default:_apacher
+default: _apacher
!IF ("$(CTARGET)" == "") && EXIST("Apache.sln")
CTARGET=/build
@@ -58,18 +58,11 @@
!ENDIF
_tryssl:
-!IF EXIST("modules\ssl\mod_ssl.mak")
- cd modules\ssl
- $(MAKE) $(MAKEOPT) -f mod_ssl.mak CFG="mod_ssl - Win32 $(LONG)" RECURSE=0
.\$(LONG)\mod_ssl.so
- cd ..\..
- cd support
- $(MAKE) $(MAKEOPT) -f abs.mak CFG="abs - Win32 $(LONG)" RECURSE=0
.\$(LONG)\abs.exe
- cd ..
-!ELSEIF EXIST("Apache.sln")
+!IF EXIST("Apache.sln")
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project mod_ssl
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project abs
!ELSE
- msdev Apache.dsw /USEENV /MAKE \
+ @msdev Apache.dsw /USEENV /MAKE \
"mod_ssl - Win32 $(LONG)" \
"abs - Win32 $(LONG)" /NORECURSE $(CTARGET)
!ENDIF
@@ -78,24 +71,21 @@
# NOT EXIST("srclib\openssl")
_tryssl:
- echo mod_ssl and ab/ssl will not build without openssl
- echo installed in $(INSTDIR)\srclib\openssl. They must be precompiled
- echo using the ms/ntdll.mak file, see srclib\openssl\INSTALL.W32.
- echo The most recent version confirmed to build with mod_ssl and ab
- echo was 0.9.6c available from http://www.openssl.org/
+ @echo -
+ @echo mod_ssl and ab/ssl will not build unless openssl is installed
+ @echo in srclib\openssl. They must be precompiled using the
+ @echo ms/ntdll.mak file, see srclib\openssl\INSTALL.W32. The most
+ @echo recent version confirmed to build with mod_ssl and ab is 0.9.6c.
+ @echo Available from http://www.openssl.org/
!ENDIF
!IF EXIST("srclib\zlib")
_tryzlib:
-!IF EXIST("modules\filters\mod_deflate.mak")
- cd modules\filters
- $(MAKE) $(MAKEOPT) -f mod_deflate.mak CFG="mod_deflate - Win32 $(LONG)"
RECURSE=0 .\$(LONG)\mod_deflate.so
- cd ..\..
-!ELSEIF EXIST("Apache.sln")
+!IF EXIST("Apache.sln")
devenv Apache.sln /useenv $(CTARGET) $(LONG) /project mod_deflate
!ELSE
- msdev Apache.dsw /USEENV /MAKE \
+ @msdev Apache.dsw /USEENV /MAKE \
"mod_deflate - Win32 $(LONG)" /NORECURSE $(CTARGET)
!ENDIF
@@ -103,25 +93,33 @@
# NOT EXIST("srclib\zlib")
_tryzlib:
- echo mod_deflate will not build without zlib installed in
- echo $(INSTDIR)\srclib\zlib.
- echo Zlib needs not be built, we compile the sources directly.
+ @echo -
+ @echo mod_deflate will not build unless zlib is installed in srclib\zlib.
+ @echo zlib does not need to be built, we compile the sources directly.
+ @echo Available from http://www.gzip.org/zlib/
!ENDIF
!IF "$(INSTDIR)" == ""
INSTDIR=\Apache2
-!MESSAGE INSTDIR not specified, installing to default $(INSTDIR)
-!ENDIF
+!ENDIF
+!IF "$(SERVERNAME)" == ""
+SERVERNAME=localhost
+!ENDIF
!IF "$(PORT)" == ""
PORT=80
-!MESSAGE PORT not specified, using default $(PORT)
-!MESSAGE To change this use $(MAKE) -f makefile.win PORT=8080 installr
!ENDIF
-!IF "$(SERVERNAME)" == ""
-SERVERNAME=localhost
-!MESSAGE SERVERNAME not specified, using default $(SERVERNAME)
-!MESSAGE To change this use $(MAKE) -f makefile.win PORT=www.example.com installr
+
+!IF "$(LONG)" == ""
+!MESSAGE
+!MESSAGE INSTDIR= $(INSTDIR)
+!MESSAGE SERVERNAME = $(SERVERNAME)
+!MESSAGE PORT = $(PORT)
+!MESSAGE
+!MESSAGE To change these options use 'nmake /f Makefile.win [option=value]'
+!MESSAGE Example: nmake /f Makefile.win PORT=8080
+!MESSAGE
+!MESSAGE
!ENDIF
!IFNDEF MAKEOPT
@@ -143,148 +141,23 @@
cd ..
_apacher:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build
_apached:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build
installr:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build _install
+ @$(MAKE) $(MAKEOPT) -f Makefile.win SHORT=R LONG=Release _build _install
installd:
- $(MAKE) $(MAKEOPT) -f Makefile.win SHORT=D LONG=Debug _build _install
+ @$(MAKE) $(MAKEOPT) -f Makefile.w
[PATCH] libhttpd.dsp
Removes the long ago deleted mpm_status.h from the project file. Shane Index: libhttpd.dsp === RCS file: /home/cvspublic/httpd-2.0/libhttpd.dsp,v retrieving revision 1.48 diff -u -r1.48 libhttpd.dsp --- libhttpd.dsp13 Jul 2002 06:33:13 - 1.48 +++ libhttpd.dsp18 Jul 2002 04:33:21 - @@ -615,10 +615,6 @@ # Begin Source File SOURCE=.\server\mpm\winnt\mpm_default.h -# End Source File -# Begin Source File - -SOURCE=.\include\mpm_status.h # End Source File # Begin Source File
Re: HEAD is borked
I've noticed this aswell. I have Apache running on a machine using an internal IP and if I connect to it with another machine using an internal IP it sits there for exactly 5 minutes before sending back the respone. But if someone connects with a real IP from the Internet everything works fine. I've tested this on both Win2k and Linux. Justin Erenkrantz wrote: >On Mon, Jul 15, 2002 at 11:27:30PM -0500, Karl Fogel wrote: > > >>There have been a lot of changes to APR's poll code lately; it looks >>like some of them cause httpd-2.0 to freeze up while processing a >>request. Using the latest httpd-2.0, I was unable to check out a tree >> >> > >Any HTTP/1.1 request is hanging for me (incl. static pages). > >Investigating. -- justin > > >
[PATCH] ApacheMonitor.c
This patch fixes AM where it throws an error window when trying to control
the service for lack of query status access.
I don't want Mladen to feel like I'm stepping on his toes, but I really
don't like
using the generic access unless there's a good reason to. So I changed
all the
service calls to use only the access rights that are needed. Which IMO
is the
more logical approach, but I might be wrong.
Shane
Index: ApacheMonitor.c
===
RCS file: /home/cvspublic/httpd-2.0/support/win32/ApacheMonitor.c,v
retrieving revision 1.21
diff -u -3 -r1.21 ApacheMonitor.c
--- ApacheMonitor.c 9 Jul 2002 17:13:48 - 1.21
+++ ApacheMonitor.c 12 Jul 2002 17:32:26 -
@@ -780,13 +780,14 @@
else
{
schSCManager = OpenSCManager(szComputerName, NULL,
- GENERIC_EXECUTE);
+ SC_MANAGER_CONNECT);
if (!schSCManager) {
return FALSE;
}
schService = OpenService(schSCManager, szServiceName,
- GENERIC_EXECUTE);
+ SERVICE_QUERY_STATUS | SERVICE_START |
+ SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL);
if (schService != NULL)
{
retValue = FALSE;
@@ -937,7 +938,7 @@
{
dwPid = 0;
schSCManager = OpenSCManager(szComputerName, NULL,
- GENERIC_READ);
+ SC_MANAGER_CONNECT);
if (!schSCManager) {
return FALSE;
}
Re: [PATCH] mpm/winnt service permissions
That's the responsibility of Windows. By forcing admin privileges to
call
apache -k * isn't creating any kind of security. Anybody could create a
simple
five like program or open up services from the control panel to control
apache
if their account has the rights to do so. Just because apache.exe and
AM forces
admin requirements, the system does not.
But I think I see what you're saying and to enforce that we'd need to
add account
checking to the startup code, not the service control code.
Shane
Mladen Turk wrote:
>Just one thought :-)
>
>I think that at least Administrator privileges are needed to start the
>services.
>The ApacheMonitor will definitely need that once when async behavior
>will be used, so that calls for starting services gets serialized with
>LockServiceDatabase that needs Admin privileges.
>So I'm for the GENERIC_READ/GENERIC_WRITE/GENERIC_EXECUTE generic access
>types, and not for finding security holes. Neither AM nor Apache
>shouldn't brake that allowing starting or stopping something that cannot
>be done through Service Manager itself, and should report that as access
>violation errors.
>
>MT.
>
>
>
>>-Original Message-
>>From: David Shane Holden [mailto:[EMAIL PROTECTED]]
>>Sent: Wednesday, July 10, 2002 2:28 AM
>>To: [EMAIL PROTECTED]
>>Subject: Re: [PATCH] mpm/winnt service permissions
>>
>>
>>Correct me if I'm wrong, but it sounds like you think this is for
>>ApacheMonitor. This is for the winnt mpm itself.
>>I thought your patch this morning was for the mpm just as I
>>believe you
>>think this is for the monitor.
>>
>>Shane
>>
>>
>>William A. Rowe, Jr. wrote:
>>
>>
>>
>>>At 01:40 PM 7/9/2002, you wrote:
>>>
>>>
>>>
>>>>This patch sets the calls to OpenSCManager and OpenService
>>>>
>>>>
>>to use the
>>
>>
>>>>minimum required privileges.
>>>>
>>>>
>>>Cool. Could you cvs up to grab the latest version with Mladen's
>>>patch, compare your suggested changes to his latest changes for
>>>requested privileges, and provide an updated patch to discuss?
>>>
>>>Bill
>>>
>>>
>>>
>
>
>
>>>>- SC_MANAGER_ALL_ACCESS);
>>>>+ SC_MANAGER_CONNECT);
>>>> if (!schSCManager) {
>>>> rv = apr_get_os_error();
>>>> ap_log_error(APLOG_MARK, APLOG_ERR |
>>>>
>>>>
>>APLOG_STARTUP, rv,
>>
>>
>>>>NULL,
>>>>@@ -1265,7 +1262,7 @@
>>>> SC_HANDLE schSCManager;
>>>>
>>>> schSCManager = OpenSCManager(NULL, NULL, //
>>>>
>>>>
>>default machine
>>
>>
>>>>& database
>>>>- SC_MANAGER_ALL_ACCESS);
>>>>+ SC_MANAGER_CONNECT);
>>>>
>>>> if (!schSCManager) {
>>>> ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP,
>>>>apr_get_os_error(), NULL,
>>>>@@ -1275,7 +1272,8 @@
>>>>
>>>> /* ###: utf-ize */
>>>> schService = OpenService(schSCManager, mpm_service_name,
>>>>- SERVICE_ALL_ACCESS);
>>>>+ SERVICE_INTERROGATE |
>>>>SERVICE_QUERY_STATUS |
>>>>+ SERVICE_START | SERVICE_STOP);
>>>>
>>>> if (schService == NULL) {
>>>> /* Could not open the service */
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>
Re: [PATCH] mpm/winnt service permissions
Correct me if I'm wrong, but it sounds like you think this is for
ApacheMonitor. This is for the winnt mpm itself.
I thought your patch this morning was for the mpm just as I believe you
think this is for the monitor.
Shane
William A. Rowe, Jr. wrote:
> At 01:40 PM 7/9/2002, you wrote:
>
>> This patch sets the calls to OpenSCManager and OpenService to use the
>> minimum required privileges.
>
>
> Cool. Could you cvs up to grab the latest version with Mladen's patch,
> compare your suggested changes to his latest changes for requested
> privileges, and provide an updated patch to discuss?
>
> Bill
>
>
>> Index: service.c
>> ===
>> RCS file: /home/cvspublic/httpd-2.0/server/mpm/winnt/service.c,v
>> retrieving revision 1.56
>> diff -u -3 -r1.56 service.c
>> --- service.c 2 Jul 2002 19:03:15 - 1.56
>> +++ service.c 9 Jul 2002 18:02:38 -
>> @@ -483,10 +483,10 @@
>> if ((osver.dwPlatformId == VER_PLATFORM_WIN32_NT)
>>&& (osver.dwMajorVersion > 4)
>>&& (ChangeServiceConfig2)
>> - && (schSCManager = OpenSCManager(NULL, NULL,
>> SC_MANAGER_ALL_ACCESS)))
>> + && (schSCManager = OpenSCManager(NULL, NULL,
>> SC_MANAGER_CONNECT)))
>> {
>> SC_HANDLE schService = OpenService(schSCManager,
>> mpm_service_name,
>> - SERVICE_ALL_ACCESS);
>> + SERVICE_CHANGE_CONFIG);
>> if (schService) {
>> /* Cast is necessary, ChangeServiceConfig2 handles multiple
>> * object types, some volatile, some not.
>> @@ -854,10 +854,9 @@
>> {
>> SC_HANDLE schService;
>> SC_HANDLE schSCManager;
>> -
>> -// TODO: Determine the minimum permissions required for
>> security
>> +
>> schSCManager = OpenSCManager(NULL, NULL, /* local, default
>> database */
>> - SC_MANAGER_ALL_ACCESS);
>> + SC_MANAGER_CREATE_SERVICE);
>> if (!schSCManager) {
>> rv = apr_get_os_error();
>> ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv,
>> NULL,
>> @@ -870,7 +869,7 @@
>> if (reconfig) {
>> /* ###: utf-ize */
>> schService = OpenService(schSCManager, mpm_service_name,
>> - SERVICE_ALL_ACCESS);
>> + SERVICE_CHANGE_CONFIG);
>> if (!schService) {
>> ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_ERR,
>> apr_get_os_error(), NULL,
>> @@ -1008,9 +1007,8 @@
>>
>> fprintf(stderr,"Removing the %s service\n", mpm_display_name);
>>
>> -// TODO: Determine the minimum permissions required for
>> security
>> schSCManager = OpenSCManager(NULL, NULL, /* local, default
>> database */
>> - SC_MANAGER_ALL_ACCESS);
>> + SC_MANAGER_CONNECT);
>> if (!schSCManager) {
>> rv = apr_get_os_error();
>> ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv,
>> NULL,
>> @@ -1019,7 +1017,7 @@
>> }
>>
>> /* ###: utf-ize */
>> -schService = OpenService(schSCManager, mpm_service_name,
>> SERVICE_ALL_ACCESS);
>> +schService = OpenService(schSCManager, mpm_service_name,
>> DELETE);
>>
>> if (!schService) {
>> rv = apr_get_os_error();
>> @@ -1123,9 +1121,8 @@
>> SC_HANDLE schService;
>> SC_HANDLE schSCManager;
>>
>> -// TODO: Determine the minimum permissions required for
>> security
>> schSCManager = OpenSCManager(NULL, NULL, /* local, default
>> database */
>> - SC_MANAGER_ALL_ACCESS);
>> + SC_MANAGER_CONNECT);
>> if (!schSCManager) {
>> rv = apr_get_os_error();
>> ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv,
>> NULL,
>> @@ -1265,7 +1262,7 @@
>> SC_HANDLE schSCManager;
>>
>> schSCManager = OpenSCManager(NULL, NULL, // default machine
>> & database
>> - SC_MANAGER_ALL_ACCESS);
>> + SC_MANAGER_CONNECT);
>>
>> if (!schSCManager) {
>> ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP,
>> apr_get_os_error(), NULL,
>> @@ -1275,7 +1272,8 @@
>>
>> /* ###: utf-ize */
>> schService = OpenService(schSCManager, mpm_service_name,
>> - SERVICE_ALL_ACCESS);
>> + SERVICE_INTERROGATE |
>> SERVICE_QUERY_STATUS |
>> + SERVICE_START | SERVICE_STOP);
>>
>> if (schService == NULL) {
>> /* Could not open the service */
>
>
>
[PATCH] mpm/winnt service permissions
This patch sets the calls to OpenSCManager and OpenService to use the
minimum required privileges.
Index: service.c
===
RCS file: /home/cvspublic/httpd-2.0/server/mpm/winnt/service.c,v
retrieving revision 1.56
diff -u -3 -r1.56 service.c
--- service.c 2 Jul 2002 19:03:15 - 1.56
+++ service.c 9 Jul 2002 18:02:38 -
@@ -483,10 +483,10 @@
if ((osver.dwPlatformId == VER_PLATFORM_WIN32_NT)
&& (osver.dwMajorVersion > 4)
&& (ChangeServiceConfig2)
- && (schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
+ && (schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT)))
{
SC_HANDLE schService = OpenService(schSCManager, mpm_service_name,
- SERVICE_ALL_ACCESS);
+ SERVICE_CHANGE_CONFIG);
if (schService) {
/* Cast is necessary, ChangeServiceConfig2 handles multiple
* object types, some volatile, some not.
@@ -854,10 +854,9 @@
{
SC_HANDLE schService;
SC_HANDLE schSCManager;
-
-// TODO: Determine the minimum permissions required for security
+
schSCManager = OpenSCManager(NULL, NULL, /* local, default database */
- SC_MANAGER_ALL_ACCESS);
+ SC_MANAGER_CREATE_SERVICE);
if (!schSCManager) {
rv = apr_get_os_error();
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL,
@@ -870,7 +869,7 @@
if (reconfig) {
/* ###: utf-ize */
schService = OpenService(schSCManager, mpm_service_name,
- SERVICE_ALL_ACCESS);
+ SERVICE_CHANGE_CONFIG);
if (!schService) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_ERR,
apr_get_os_error(), NULL,
@@ -1008,9 +1007,8 @@
fprintf(stderr,"Removing the %s service\n", mpm_display_name);
-// TODO: Determine the minimum permissions required for security
schSCManager = OpenSCManager(NULL, NULL, /* local, default database */
- SC_MANAGER_ALL_ACCESS);
+ SC_MANAGER_CONNECT);
if (!schSCManager) {
rv = apr_get_os_error();
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL,
@@ -1019,7 +1017,7 @@
}
/* ###: utf-ize */
-schService = OpenService(schSCManager, mpm_service_name, SERVICE_ALL_ACCESS);
+schService = OpenService(schSCManager, mpm_service_name, DELETE);
if (!schService) {
rv = apr_get_os_error();
@@ -1123,9 +1121,8 @@
SC_HANDLE schService;
SC_HANDLE schSCManager;
-// TODO: Determine the minimum permissions required for security
schSCManager = OpenSCManager(NULL, NULL, /* local, default database */
- SC_MANAGER_ALL_ACCESS);
+ SC_MANAGER_CONNECT);
if (!schSCManager) {
rv = apr_get_os_error();
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL,
@@ -1265,7 +1262,7 @@
SC_HANDLE schSCManager;
schSCManager = OpenSCManager(NULL, NULL, // default machine & database
- SC_MANAGER_ALL_ACCESS);
+ SC_MANAGER_CONNECT);
if (!schSCManager) {
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, apr_get_os_error(),
NULL,
@@ -1275,7 +1272,8 @@
/* ###: utf-ize */
schService = OpenService(schSCManager, mpm_service_name,
- SERVICE_ALL_ACCESS);
+ SERVICE_INTERROGATE | SERVICE_QUERY_STATUS |
+ SERVICE_START | SERVICE_STOP);
if (schService == NULL) {
/* Could not open the service */
