Re: Bug#270418: apache: Apache initscript ignores system locale
On Tue, 7 Sep 2004, Ian Eure wrote: Is there some definitive resource which documents these effects? I'd like to know what I run the risk of breaking by forcing Apache to use my locale. Check the BTS for archived apache bugs. some of them were reporting problems when LANG != C. I am not sure to recall all the details, but one of the problem was the sequence in which a config directory is scanned, breaking user configuration load sequences. Remember that /etc/init./apache is a config file that you can modify and it will not be overwritten across uploads, until you say so. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Bug#270593: marked as done (apache2: /var/wwww should be owned by www-data, not root)
Your message dated Wed, 8 Sep 2004 10:00:10 +0100 with message-id [EMAIL PROTECTED] and subject line Interesting definition of secure has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 8 Sep 2004 07:50:32 + From [EMAIL PROTECTED] Wed Sep 08 00:50:32 2004 Return-path: [EMAIL PROTECTED] Received: from fep07-0.kolumbus.fi (fep07-app.kolumbus.fi) [193.229.0.51] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C4xDr-0005zi-00; Wed, 08 Sep 2004 00:50:31 -0700 Received: from bongo.cante.net ([81.197.3.110]) by fep07-app.kolumbus.fi with ESMTP id [EMAIL PROTECTED]; Wed, 8 Sep 2004 10:50:30 +0300 Received: from jaalto by bongo.cante.net with local (Exim 4.34) id 1C4x5J-0005ZN-LT; Wed, 08 Sep 2004 10:41:42 +0300 MIME-Version: 1.0 From: Jari Aalto [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] X-Mailer: reportbug 2.64 Date: Wed, 08 Sep 2004 10:41:41 +0300 Message-Id: [EMAIL PROTECTED] Sender: Jari Aalto [EMAIL PROTECTED] X-SA-Exim-Connect-IP: locally generated X-SA-Exim-Mail-From: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: apache2: /var/ should be owned by www-data, not root X-SA-Exim-Version: 4.1 (built Tue, 17 Aug 2004 11:06:07 +0200) X-SA-Exim-Scanned: Yes (on bongo.cante.net) Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: apache2 Version: 2.0.50-12 Severity: grave Justification: user security hole I'm not sure which process is responsible of creating /var/www, but I'm resuming that apache2, whcih is the only web server installed in this system. The permissions look like this now: host:~# ls -la /var/www drwxr-xr-x 3 root root 4096 Sep 6 23:53 . But wouldn't it bemore secure to to use: chown -R www-data.www-data /var/www -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.26-1-386 Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US) Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.0.50-12 Traditional model for Apache2 -- no debconf information --- Received: (at 270593-done) by bugs.debian.org; 8 Sep 2004 08:59:50 + From [EMAIL PROTECTED] Wed Sep 08 01:59:50 2004 Return-path: [EMAIL PROTECTED] Received: from dev.bitch-whore.com (localhost.localdomain) [213.208.111.147] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C4yIw-0004vk-00; Wed, 08 Sep 2004 01:59:50 -0700 Received: by localhost.localdomain (Postfix, from userid 1000) id 43E9711C45B; Wed, 8 Sep 2004 10:00:10 +0100 (BST) Date: Wed, 8 Sep 2004 10:00:10 +0100 From: Thom May [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Interesting definition of secure Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.5.6+20040818i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Hi, I'm not sure how your thought processes worked on this one. But let's think about this for a second: web server runs as www-data. /var/www is owned by www-data. All your cgi scripts run as www-data.=20 You have a script with an exploit. Unchecked input or whatever. attacker runs 'rm -rf /var/www/*'. With /var/www owned by anything !www-data, this isn't a problem. With /var/www owned by www-data, all your web pages are now in the deep blue void. So no, it would not be more secure. (And no, we will not be doing this) -Thom
Bug#239571: marked as done (apache2-common: /etc/logrotate.d/apache2 not removed when package removed)
Your message dated Wed, 8 Sep 2004 04:52:30 -0700 with message-id [EMAIL PROTECTED] and subject line Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 23 Mar 2004 13:15:25 + From [EMAIL PROTECTED] Tue Mar 23 05:15:25 2004 Return-path: [EMAIL PROTECTED] Received: from relay.shcorp.com (pangaea.shcorp.com) [67.97.0.94] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1B5lkb-000620-00; Tue, 23 Mar 2004 05:15:25 -0800 Received: from pc71 (pc71.shcorp.com [10.10.1.71]) by pangaea.shcorp.com (8.12.3/8.12.3/Debian-6.6) with ESMTP id i2NDElVW011183; Tue, 23 Mar 2004 08:14:47 -0500 Received: from kyoder by pc71 with local (Exim 3.36 #1 (Debian)) id 1B5ljz-0005di-00; Tue, 23 Mar 2004 08:14:47 -0500 Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Kurt Yoder [EMAIL PROTECTED] To: Debian Bug Tracking System [EMAIL PROTECTED] Subject: apache2-common: /etc/logrotate.d/apache2 not removed when package removed X-Mailer: reportbug 2.37 Date: Tue, 23 Mar 2004 08:14:47 -0500 Message-Id: [EMAIL PROTECTED] Sender: Kurt Yoder [EMAIL PROTECTED] X-MailScanner-Antivirus: Found to be clean Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_12 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.2 required=4.0 tests=BAYES_00,HAS_PACKAGE, REMOVE_REMOVAL_NEAR autolearn=no version=2.60-bugs.debian.org_2004_03_12 X-Spam-Level: Package: apache2-common Version: 2.0.48-7 Severity: minor I did a normal (non-purge) remove of apache2-common. /etc/logrotate.d/apache2 was not removed. This causes the daily cron job to report an error as it's trying to run logrotate. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux pc71 2.4.22-xfs #1 SMP Fr Okt 3 20:36:25 CEST 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages apache2-common depends on: ii debconf 1.3.22 Debian configuration management sy ii debianutils 2.6.2Miscellaneous utilities specific t ii libapr0 2.0.48-7 The Apache Portable Runtime ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an ii libdb4.24.2.52-8 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.6-6 XML parsing C library - runtime li ii libldap22.1.23-1 OpenLDAP libraries ii libssl0.9.7 0.9.7c-5 SSL shared libraries ii mime-support3.23-1 MIME files 'mime.types' 'mailcap ii net-tools 1.60-8 The NET-3 networking toolkit ii openssl 0.9.7c-5 Secure Socket Layer (SSL) binary a ii ssl-cert1.0-7Simple debconf wrapper for openssl ii zlib1g 1:1.2.1-3compression library - runtime --- Received: (at 239571-done) by bugs.debian.org; 8 Sep 2004 11:52:32 + From [EMAIL PROTECTED] Wed Sep 08 04:52:32 2004 Return-path: [EMAIL PROTECTED] Received: from fooishbar.org (tycho.fooishbar.org) [131.252.208.81] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1C5104-0008B0-00; Wed, 08 Sep 2004 04:52:32 -0700 Received: by tycho.fooishbar.org (Postfix, from userid 1000) id 9F333E20B1D; Wed, 8 Sep 2004 04:52:30 -0700 (PDT) Date: Wed, 8 Sep 2004 04:52:30 -0700 From: Daniel Stone [EMAIL PROTECTED] To: Roland Stigge [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=qo7zVO9a9OQ5oQtr Content-Disposition: inline In-Reply-To: [EMAIL PROTECTED] X-GnuPG-Key: 3CED7EFD User-Agent: Mutt/1.5.6+20040818i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.2 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER, REMOVE_REMOVAL_NEAR autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level:
Processed: Re: Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed
Processing commands for [EMAIL PROTECTED]: reopen 239571 Bug#239571: apache2-common: /etc/logrotate.d/apache2 not removed when package removed Bug reopened, originator not changed. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#270635: apache: building process should respect CFLAGS and LDFLAGS
Package: apache Version: 1.3.31-5 Severity: minor Tags: patch there is no simple way to build packeage with additional options for compilation and linking. Buildiing process should respect enviroment variables CFLAGS and LDFLAGS to allow optimization or security improvments by seting up compilator switches. For egsample smb may want to use -march/-mcpu to optimize for specific platform, or -Wl,-pie to make position independent executables. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) --- rules.orig 2004-09-08 14:03:36.0 +0200 +++ rules 2004-09-08 14:05:56.0 +0200 @@ -129,7 +129,7 @@ $(STAMP_DIR)/configure-stamp-apache: $(STAMP_DIR)/source.make @echo -e \n\n*** Configuring apache ***\n\n - cd $(V) CFLAGS=$(CONFLAGS) ./configure $(APACHEARGS) + cd $(V) LDFLAGS=$(LDFLAGS) CFLAGS=$(CFLAGS) $(CONFLAGS) ./configure $(APACHEARGS) @echo -e \n\n*** Creating apaci (apache) *** \n\n @@ -169,7 +169,7 @@ $(STAMP_DIR)/configure-stamp-ssl: $(STAMP_DIR)/source.make @echo -e \n\n*** Configuring apache-ssl ***\n\n - cd $(S) CFLAGS=$(CONFLAGS) ./configure $(SSLARGS) + cd $(S) LDFLAGS=$(LDFLAGS) CFLAGS=$(CFLAGS) $(CONFLAGS) ./configure $(SSLARGS) @echo -e \n\n*** Creating apaci (apache-ssl) *** \n\n @@ -218,7 +218,7 @@ PERL_TRACE=0 PERL_LOG_API=1 PERL_URI_API=1 PERL_UTIL_API=1 \ PERL_TABLE_API=1 PERL_FILE_API=1 - cd $(P) CFLAGS=$(CONFLAGS) ./configure $(PERLARGS) + cd $(P) LDFLAGS=$(LDFLAGS) CFLAGS=$(CFLAGS) $(CONFLAGS) ./configure $(PERLARGS) @echo -e \n\n*** Creating apaci (apache-perl) *** \n\n
apache upgrade cleans modules.conf
Current testing, upg. to apache 1.3.31-5 rendered php4 not working by installing a clear modules.conf over the one which contained a modules.conf with a line: loadmodule php4_module ... Happened on two systems. G.