Re: httpd win64 binaries

[Jorge Schrauwen]

On Mon, Nov 3, 2008 at 8:10 AM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
 Jorge Schrauwen wrote:

 The subject of not having an official binary package was brought up.
 We couldn't think of a reason why not except no body wants or has the
 time to do it.

 That's not it.

 The problem is MS's creation.  We can either ship an 'official' msvcrt.dll
 based, DDK-built flavor, or the crap of the month 2005 or 2005sp1 or 2008
 or 2008sp1 binary.  Let's face it, flavor of the week doesn't work for an
 approach to a C runtime.


Now that you mention it I do seem to vaguely remember something about this.
So unless the MS gets there act together (which I doubt will happen in
anytime soon) we won't see any 64-bit binaries?


 I'm likely to ship that DDK built flavor if only to help ensure compatibility,
 and let the Studio team know that they don't know what they are doing.  They
 deliver a fun product for building something.  I know, I used it almost for
 2 decades.


So selecting a version that is most popular say 2005(sp1) and only
using that one is out of the question?

 They are entirely clueless at delivering a product to be used across multiple
 developers from multiple organizations to accomplish multiple purposes.  They
 just can't grok that much multiplicity, and observe the central MS tenant of
 forcing to upgrade early and upgrade often.  This isn't compatible with open
 source binaries.  Just look at how frequently gcc is willing to bump the ver
 major like next to never.



But I have to agree, MS's vs 2005+ series is a mess with all the
.manifest and .local and bah!


~Jorge

Re: httpd win64 binaries

[Bing Swen]

Jorge Schrauwen [EMAIL PROTECTED] wrote on 2008-11-3 16:26


On Mon, Nov 3, 2008 at 8:10 AM, William A. Rowe, Jr. wrote:


Jorge Schrauwen wrote:


The subject of not having an official binary package was brought up.
We couldn't think of a reason why not except no body wants or has the
time to do it.


That's not it.

The problem is MS's creation.  We can either ship an 'official' 
msvcrt.dll

based, DDK-built flavor, or the crap of the month 2005 or 2005sp1 or 2008
or 2008sp1 binary.  Let's face it, flavor of the week doesn't work for an
approach to a C runtime.



Now that you mention it I do seem to vaguely remember something about 
this.

So unless the MS gets there act together (which I doubt will happen in
anytime soon) we won't see any 64-bit binaries?



Though we are eager to see an 'official' 64-bit Windows httpd release, but 
if not binaries, why shouldn't there be an x64 configured Apache.sln? It 
will be already great to let people have the chance to do their own x64 
compilation.


It was made clear that 32-bit will soon be over at the Windows server end 
(http://blogs.technet.com/windowsserver/archive/2008/10/28/announcing-windows-server-2008-r2.aspx). 
I guess most of us still think that Windows Server remains as an important 
platform for Apache. So it's really time to make this little step further.





So selecting a version that is most popular say 2005(sp1) and only
using that one is out of the question?



Jorge's Win64 binaries already seem to work perfectly on mainstream Windows 
versions. Shouldn't it be able to improve to be offical?

(I just found it can not load some modules built with VS005/Win008, though).


Bing

Re: httpd win64 binaries

[Jorge Schrauwen]

On Mon, Nov 3, 2008 at 10:23 AM, Bing Swen [EMAIL PROTECTED] wrote:
 Jorge Schrauwen [EMAIL PROTECTED] wrote on 2008-11-3 16:26

 On Mon, Nov 3, 2008 at 8:10 AM, William A. Rowe, Jr. wrote:

 Jorge Schrauwen wrote:

 The subject of not having an official binary package was brought up.
 We couldn't think of a reason why not except no body wants or has the
 time to do it.

 That's not it.

 The problem is MS's creation.  We can either ship an 'official'
 msvcrt.dll
 based, DDK-built flavor, or the crap of the month 2005 or 2005sp1 or 2008
 or 2008sp1 binary.  Let's face it, flavor of the week doesn't work for an
 approach to a C runtime.


 Now that you mention it I do seem to vaguely remember something about
 this.
 So unless the MS gets there act together (which I doubt will happen in
 anytime soon) we won't see any 64-bit binaries?


 Though we are eager to see an 'official' 64-bit Windows httpd release, but
 if not binaries, why shouldn't there be an x64 configured Apache.sln? It
 will be already great to let people have the chance to do their own x64
 compilation.

Currently there is only a .dsw and no sln's, they get generated on import.
For some project on import there is a x64 platform available but not all.

I'm not sure how doable that would be? If it was easy I'm sure someone
(wrowe) would probably have done this already. Easiest way to do it
with the current dsw/sln is to remove the project that have and x64
targets, then create a new x64 target for the entire solution.

 It was made clear that 32-bit will soon be over at the Windows server end
 (http://blogs.technet.com/windowsserver/archive/2008/10/28/announcing-windows-server-2008-r2.aspx).
 I guess most of us still think that Windows Server remains as an important
 platform for Apache. So it's really time to make this little step further.



 So selecting a version that is most popular say 2005(sp1) and only
 using that one is out of the question?


 Jorge's Win64 binaries already seem to work perfectly on mainstream Windows
 versions. Shouldn't it be able to improve to be offical?
 (I just found it can not load some modules built with VS005/Win008, though).

I compiled them on vs2008 IIRC (not sure only boot into the vm when
need to compile)
Sadly the exact same version is needed or else it refuses to load.
That is what wrowe mentioned above with all the minor version bumps
here and there.


 Bing


Jorge

[patch] mod_autoindex stability depends on ap_field_noparam

[Takashi Sato]

find_default_item passes an imperfect request_rec to find_item.
find_item calls ap_field_noparam with uninitialized memory pool (r-pool).
Though this doesn't matter since ap_field_noparam simply returns NULL when
the 2nd argument is NULL, IMHO this should be fixed.
The attached patch makes find_default_item stop create reqest_rec.


static char *find_item(request_rec *r, apr_array_header_t *list, int path_only)
{
const char *content_type = ap_field_noparam(r-pool, r-content_type);

[cut]

static char *find_default_item(char *bogus_name, apr_array_header_t *list)
{
request_rec r;
/* Bleah.  I tried to clean up find_item, and it lead to this bit
 * of ugliness.   Note that the fields initialized are precisely
 * those that find_item looks at...
 */
r.filename = bogus_name;
r.content_type = r.content_encoding = NULL;
return find_item(r, list, 1);
}
Index: mod_autoindex.c
===
--- mod_autoindex.c (revision 710023)
+++ mod_autoindex.c (working copy)
@@ -750,12 +750,9 @@
 int isdir;
 };
 
-static char *find_item(request_rec *r, apr_array_header_t *list, int path_only)
+static char *find_item_core(const char *content_type_noparam, const char 
*content_encoding,
+const char *path, apr_array_header_t *list, int 
path_only)
 {
-const char *content_type = ap_field_noparam(r-pool, r-content_type);
-const char *content_encoding = r-content_encoding;
-char *path = r-filename;
-
 struct item *items = (struct item *) list-elts;
 int i;
 
@@ -775,8 +772,8 @@
 else if (!path_only) {
 if (!content_encoding) {
 if (p-type == BY_TYPE) {
-if (content_type
- !ap_strcasecmp_match(content_type,
+if (content_type_noparam
+ !ap_strcasecmp_match(content_type_noparam,
 p-apply_to)) {
 return p-data;
 }
@@ -796,21 +793,19 @@
 return NULL;
 }
 
+static char *find_item(request_rec *r, apr_array_header_t *list, int path_only)
+{
+return find_item_core(ap_field_noparam(r-pool, r-content_type), 
r-content_encoding, r-filename, list, path_only);
+}
+
 #define find_icon(d,p,t) find_item(p,d-icon_list,t)
 #define find_alt(d,p,t) find_item(p,d-alt_list,t)
 #define find_header(d,p) find_item(p,d-hdr_list,0)
 #define find_readme(d,p) find_item(p,d-rdme_list,0)
 
-static char *find_default_item(char *bogus_name, apr_array_header_t *list)
+static char *find_default_item(const char *bogus_name, apr_array_header_t 
*list)
 {
-request_rec r;
-/* Bleah.  I tried to clean up find_item, and it lead to this bit
- * of ugliness.   Note that the fields initialized are precisely
- * those that find_item looks at...
- */
-r.filename = bogus_name;
-r.content_type = r.content_encoding = NULL;
-return find_item(r, list, 1);
+return find_item_core(NULL, NULL, bogus_name, list, 1);
 }
 
 #define find_default_icon(d,n) find_default_item(n, d-icon_list)

Re: httpd win64 project sources/makefiles [was:...binaries]

[Dan Poirier]

William A. Rowe, Jr. said the following on 11/03/2008 07:32 AM:

But studio (or eclipse or codewarrior or [name your IDE]) users would
appreciate a perspective into the sources.  The IDE-accessible nature
of the original Win32 port is what made it so easy for me to jump in,
understand and substantially refactor the win32 support.  Without the
IDE view, would I have done that?  Maybe - but at that time in my
development patterns - more likely not.

Lets look to supporting [name your favorite IDE] as a bigger picture
item not specific to windows, and to transition away from .dsp for
the build/ide view support.


I'm still getting my head around how all the parts of Apache work 
together, and would love to be able to dive into it using Eclipse and 
explore.  The advantage of Eclipse would be that it's more 
cross-platform than most of the alternatives that I'm aware of.


Re: windows, aren't there one or more ports of gcc?  Would something 
like that be worth considering as a more stable build solution than MS's 
tools?


Dan

Re: httpd win64 project sources/makefiles [was:...binaries]

[Marc Noirot]

William A. Rowe, Jr. said the following on 11/03/2008 07:32 AM:
 Lets look to supporting [name your favorite IDE] as a bigger picture
 item not specific to windows, and to transition away from .dsp for
 the build/ide view support.

What about going one step further and using a tool
able to generate Makefiles and IDE files for [name some of your favorite IDEs] ?

I'm thinking about something like CMake, which is able to target
the following environments on Windows :
# Borland Makefiles
# MSYS Makefiles
# MinGW Makefiles
# NMake Makefiles
# Unix Makefiles
# Visual Studio 6
# Visual Studio 7
# Visual Studio 7 .NET 2003
# Visual Studio 8 2005
# Visual Studio 8 2005 Win64
# Visual Studio 9 2008
# Visual Studio 9 2008 Win64
# Watcom WMake
# CodeBlocks - MinGW Makefiles
# CodeBlocks - Unix Makefiles
# Eclipse CDT4 - MinGW Makefiles
# Eclipse CDT4 - NMake Makefiles
# Eclipse CDT4 - Unix Makefiles

--
Marc Noirot
http://www.apachefrance.com/

Re: httpd win64 project sources/makefiles [was:...binaries]

[Bing Swen]

Dan Poirier [EMAIL PROTECTED]　wrote on 2008-11-3 21:13


William A. Rowe, Jr. said the following on 11/03/2008 07:32 AM:


Lets look to supporting [name your favorite IDE] as a bigger picture
item not specific to windows, and to transition away from .dsp for
the build/ide view support.


Re: windows, aren't there one or more ports of gcc?  Would something like 
that be worth considering as a more stable build solution than MS's tools?


There is a runtime library issue. Most GCC ports do not generate object code 
that can be linked with the necessary WinAPI runtime lib's. e.g, httpd needs 
to link to lots of MS C startup libraris to use the file system, socket API, 
IOCP, etc.


Bing 

Re: httpd win64 project sources/makefiles [was:...binaries]

[Bing Swen]

Marc Noirot [EMAIL PROTECTED] wrote on 2008-11-3 22:06


William A. Rowe, Jr. said the following on 11/03/2008 07:32 AM:

Lets look to supporting [name your favorite IDE] as a bigger picture
item not specific to windows, and to transition away from .dsp for
the build/ide view support.


What about going one step further and using a tool
able to generate Makefiles and IDE files for [name some of your favorite 
IDEs] ?


I'm thinking about something like CMake, which is able to target
the following environments on Windows :
# Borland Makefiles
# MSYS Makefiles
# MinGW Makefiles
# NMake Makefiles
# Unix Makefiles
# Visual Studio 6
# Visual Studio 7
# Visual Studio 7 .NET 2003
# Visual Studio 8 2005
# Visual Studio 8 2005 Win64
# Visual Studio 9 2008
# Visual Studio 9 2008 Win64
# Watcom WMake
# CodeBlocks - MinGW Makefiles
# CodeBlocks - Unix Makefiles
# Eclipse CDT4 - MinGW Makefiles
# Eclipse CDT4 - NMake Makefiles
# Eclipse CDT4 - Unix Makefiles

--
Marc Noirot


This seems overwhelming. So it seems possible for httpd to have a 
one-to-fit-all IDE project file generator? Then everyone will have a 
happy ending...


Bing

Re: httpd win64 project sources/makefiles [was:...binaries]

[William A. Rowe, Jr.]

Jorge Schrauwen wrote:

 I compiled them on vs2008 IIRC (not sure only boot into the vm when
 need to compile)
 Sadly the exact same version is needed or else it refuses to load.
 That is what wrowe mentioned above with all the minor version bumps
 here and there.

Precisely.  Also note; VC2008 studio file cannot load in studio 2005.
This might also be true of SP bumps.

Today, it's VC6 dsw/dsp's only because that was the last version able
to export a set of non-studio Makefiles.  If we eliminate the need to
export win32's makefiles, we eliminate dsp's altogether.

So as far as .sln's are concerned, if we can emit, from our build
schema, either .vcproj elements or makefiles or both, then we can
forever drop VC6 files.  VC6 certainly would still compile, but using
the command line.  I can't seriously believe that we should support
the IDE itself forever.

But studio (or eclipse or codewarrior or [name your IDE]) users would
appreciate a perspective into the sources.  The IDE-accessible nature
of the original Win32 port is what made it so easy for me to jump in,
understand and substantially refactor the win32 support.  Without the
IDE view, would I have done that?  Maybe - but at that time in my
development patterns - more likely not.

Lets look to supporting [name your favorite IDE] as a bigger picture
item not specific to windows, and to transition away from .dsp for
the build/ide view support.

Bill

Re: svn commit: r709993 - in /httpd/httpd/trunk: include/ modules/arch/unix/ server/ server/mpm/experimental/event/ server/mpm/prefork/ server/mpm/simple/ server/mpm/worker/

[Jim Jagielski]

On Nov 2, 2008, at 9:47 PM, Paul Querna wrote:


[EMAIL PROTECTED] wrote:

Author: niq
Date: Sun Nov  2 16:46:54 2008
New Revision: 709993
URL: http://svn.apache.org/viewvc?rev=709993view=rev
Log:
Switch all unix MPMs to use drop_privileges hook (mod_unixd) for  
startup
and add a flag to prevent running without any module taking  
responsibility

for managing system privileges!



+/* register modules that undertake to manage system security */
+extern int sys_privileges;

.

+++sys_privileges;
return OK;


-0.98

No more global variables :(



+1 on the -0.98

Re: svn commit: r708462 - in /httpd/httpd/trunk/server/mpm: ./ simple/

[Jim Jagielski]

On Nov 2, 2008, at 1:04 PM, Justin Erenkrantz wrote:

On Thu, Oct 30, 2008 at 6:06 AM, Jim Jagielski [EMAIL PROTECTED]  
wrote:

I tend to agree... as long as the architectural design doesn't
prevent people from creating (or keeping) MPMs, then this is all
good. Believe it or not, as people on the front-lines of handling
Apache setup and support for organizations can attest to, MPMs are a
valued feature.


I disagree.  It's incredibly confusing to have compile-time
definitions and inability to adjust them at run-time.

I'd prefer that we remove all MPMs and teach whatever remains to be
able to emulate prefork (multiple-process/single-thread) or worker
(multiple-process/multiple-thread) at run-time.



You miss my point. If we just have one MPM, and make it
such that other MPMs are at a significant advantage, then
why even have MPMs? Hardcode in simple and be done.

In any case, we can pretty much do that with Worker now,
as well as Simple...

Re: svn commit: r708902 - /httpd/httpd/trunk/modules/metadata/mod_expires.c

[Jim Jagielski]

On Nov 1, 2008, at 6:54 AM, Ruediger Pluem wrote:



This causes failures in the perl framework:

t/modules/expires.t92   15  16.30%  4 10 14 17-18 22  
29-30 34-

   35 38 42 46 48 50

But IMHO the code is now correct after the patch and the tests are  
wrong. The following

patch makes the tests pass again:

Index: t/modules/expires.t
===
--- t/modules/expires.t (Revision 707830)
+++ t/modules/expires.t (Arbeitskopie)
@@ -231,6 +231,13 @@
if ($exp_conf =~ /^([A|M])(\d+)$/) {
$exp_type = $1;
$expected = $2;
+## With modification date as base expire times can be in  
the past
+## Correct behaviour for the server in this case is to set  
expires

+## time equal to access time.
+if (($exp_type eq 'M')
+ ($headers{access}  $headers{modified} + $expected)) {
+$expected = $headers{access} - $headers{modified};
+}
} else {
print STDERR \n\ndoom: $exp_conf\n\n;
return 0;

Comments?



Thanks! I forgot to mention that the test cases were bad, and had  
intended

to fix them, but time got away from me. Thanks for following
up!

+1

Re: httpd win64 project sources/makefiles [was:...binaries]

[Graham Leggett]

Marc Noirot wrote:


What about going one step further and using a tool
able to generate Makefiles and IDE files for [name some of your favorite IDEs] ?


+1.

Binding httpd to one IDE significantly reduces the developer audience, 
it would help a lot if Windows could have the same autoconf ability that 
the Unix build has had for years.


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: httpd win64 project sources/makefiles [was:...binaries]

[Roy T. Fielding]

On Nov 3, 2008, at 6:06 AM, Marc Noirot wrote:


What about going one step further and using a tool
able to generate Makefiles and IDE files for [name some of your  
favorite IDEs] ?


I'm thinking about something like CMake ...


http://lwn.net/Articles/188693/
http://www.cmake.org/

+1

But it still requires folks to do the work.  Hackathon?

Roy

Re: svn commit: r709708 - in /httpd/httpd/trunk: include/ap_mmn.h include/mod_auth.h modules/aaa/mod_authz_owner.c

[Chris Darroch]

Ruediger Pluem wrote:


IMHO this requires a major bump (no problem on trunk) and not only a minor one.


  Thanks for catching that and the missing apr_pcalloc() in mod_authz_core.c!

Chris.

--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

Re: svn commit: r709553 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c

[Chris Darroch]

Ruediger Pluem wrote:

could you please split such changes into atomic commits? One issue - one 
commit. You also committed docs changes you didn't mention in the log 
message.


I'm not sure if the crash fix shouldn't go into CHANGES.


Plus it makes it really hard to read the diffs if you mix formating changes
with functional changes. Please separate them.


  Yes, my apologies for that.  I confess I'd hoped to cut a couple of
corners because these files exist only in trunk, I wasn't planning any
backports, and there seemed to be such a remarkably low level of interest
in the trunk authn/z stuff.  Still, I should have done a better job.

Chris.

--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

Re: httpd win64 project sources/makefiles [was:...binaries]

[Jorge Schrauwen]

cmake seems very interesting.
I'd like to help if you go that path, not sure I'll be of much use though.

~Jorge



On Mon, Nov 3, 2008 at 6:42 PM, Roy T. Fielding [EMAIL PROTECTED] wrote:
 On Nov 3, 2008, at 6:06 AM, Marc Noirot wrote:

 What about going one step further and using a tool
 able to generate Makefiles and IDE files for [name some of your favorite
 IDEs] ?

 I'm thinking about something like CMake ...

 http://lwn.net/Articles/188693/
 http://www.cmake.org/

 +1

 But it still requires folks to do the work.  Hackathon?

 Roy

Re: AuthzMergeRules blocks everything in default configuration

[Chris Darroch]

Dan Poirier wrote:

I'd find it much easier to understand if we had fewer directives, and 
just built up the more complicated ideas by writing boolean expressions, 
which most of us already know how to cope with.


  Perhaps, and the underlying code should support a range of alternative
configuration schemes; if someone wants to add an expression parser,
that should be feasible.


  My own perspective was that I wanted to satisfy number of goals,
in descending order of priority:

  First, and most important, I wanted to ensure default 2.2-style
authz.  Imagine administrating a large mass virtual hosting service
whose customers have uploaded thousands of .htaccess files, and trying
to upgrade to 2.4.  Clearly, those .htaccess files need to work exactly
as before.  Even if we supplied a batch conversion script that could
find and auto-upgrade them, customers would later upload their own private
copies of their old files, thus inadvertently breaking their sites.

  So, that meant an OR-like context for Require directives, and
no merging of authz configurations by default.  This whole thread
started because I was trying mod_authz_dbd and noticed it didn't
work as expected because AuthzMergeRules was On (i.e., OR) by default.
(In my previous message I described switching to an AND-like default
context for Require directives, but realized before committing that
that would break with this prime directive of backwards-compatibility.)

  So, if people could please test with 2.2-style authz configurations
and make sure everything works as expected, that would be superb.


  Second, I wanted to simplify things a little.  The revised
mod_auth.h and mod_authz_core.c have shrunk a little, and I felt I
could remove the default authn/z modules.  (Having both core and
default modules for authn and authz, any of which could be compiled
out, seemed a likely source of trouble.)


  Third, while looking into how mod_authz_core worked, I found
some ways to configure it that would cause unexpected results,
and while trying to fix those came to the conclusion I needed to
start over with a tree-based implementation.

  Doing that and working through the implications of a non-Boolean
tri-state logic (where negating a false value results in a neutral,
not true, value) I found that adding negated authz container directives
was something that just fell out naturally.


  Finally there was a certain amount of bike-shed re-painting in
the form of renaming configuration directives.  I settled on
Match, MatchAll, etc. based on Eric Covener's comments.

  If people dislike those names, please jump in and change them.
Or if most folks think we'd be better off without authz containers
entirely, please vote for the following patch, which simply turns all
that stuff off, leaving (I hope) a fairly clean core authz implementation
that supports default 2.2-style behaviour and is extensible down the road,
should that be desired.

Chris.


Index: mod_authz_core.c
===
--- mod_authz_core.c(revision 710120)
+++ mod_authz_core.c(working copy)
@@ -405,6 +405,7 @@
return NULL;
}

+#ifdef AUTHZ_CORE_CONTAINERS
static const char *add_authz_section(cmd_parms *cmd, void *mconfig,
 const char *args)
{
@@ -534,6 +535,7 @@

return NULL;
}
+#endif /* AUTHZ_CORE_CONTAINERS */

static int authz_core_check_section(apr_pool_t *p, server_rec *s,
authz_section_conf *section, int is_conf)
@@ -634,6 +636,7 @@
 specifies legacy authorization directives 
 of which one must pass 
 for a request to suceeed),
+#ifdef AUTHZ_CORE_CONTAINERS
AP_INIT_RAW_ARGS(Match, add_authz_provider, NULL, OR_AUTHCFG,
 specifies authorization directives that must pass 
 (or not) for a request to suceeed),
@@ -656,6 +659,7 @@
  controls how a Directory, Location, or similar 
  directive's authorization directives are combined with 
  those of its predecessor),
+#endif /* AUTHZ_CORE_CONTAINERS */
{NULL}
};

Re: svn commit: r709839 - in /httpd/httpd/trunk: ./ build/ modules/aaa/modules/arch/netware/ os/netware/ os/win32/

[Brad Nicholes]

 On 11/1/2008 at 10:21 PM, in message
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
 Author: chrisd
 Date: Sat Nov  1 21:21:48 2008
 New Revision: 709839
 
 URL: http://svn.apache.org/viewvc?rev=709839view=rev 
 Log:
 Remove mod_authn_default and mod_authz_default.
 
 Note: I've attempted to work through the Windows and Netware build files,
 but if those with such systems could repair any damage, that would be
 appreciated.
 
 Removed:
 httpd/httpd/trunk/modules/aaa/mod_authn_default.c
 httpd/httpd/trunk/modules/aaa/mod_authn_default.dsp
 httpd/httpd/trunk/modules/aaa/mod_authz_default.c
 httpd/httpd/trunk/modules/aaa/mod_authz_default.dsp
 httpd/httpd/trunk/modules/arch/netware/mod_authn_default.def
 httpd/httpd/trunk/modules/arch/netware/mod_authz_default.def
 Modified:
 httpd/httpd/trunk/Apache.dsw
 httpd/httpd/trunk/CHANGES
 httpd/httpd/trunk/Makefile.win
 httpd/httpd/trunk/NWGNUmakefile
 httpd/httpd/trunk/build/installwinconf.awk
 httpd/httpd/trunk/build/mkconfNW.awk
 httpd/httpd/trunk/modules/aaa/config.m4
 httpd/httpd/trunk/os/netware/modules.c
 httpd/httpd/trunk/os/win32/BaseAddr.ref
 

I haven't tried out the new authnz directives yet, but it at least builds on 
NetWare.

Brad

Re: AuthzMergeRules blocks everything in default configuration

[Ruediger Pluem]

On 11/03/2008 08:12 PM, Chris Darroch wrote:
 Dan Poirier wrote:
 
 I'd find it much easier to understand if we had fewer directives, and
 just built up the more complicated ideas by writing boolean
 expressions, which most of us already know how to cope with.
 
   Perhaps, and the underlying code should support a range of alternative
 configuration schemes; if someone wants to add an expression parser,
 that should be feasible.
 
 
   My own perspective was that I wanted to satisfy number of goals,
 in descending order of priority:
 
   First, and most important, I wanted to ensure default 2.2-style
 authz.  Imagine administrating a large mass virtual hosting service
 whose customers have uploaded thousands of .htaccess files, and trying
 to upgrade to 2.4.  Clearly, those .htaccess files need to work exactly
 as before.  Even if we supplied a batch conversion script that could
 find and auto-upgrade them, customers would later upload their own private
 copies of their old files, thus inadvertently breaking their sites.
 
   So, that meant an OR-like context for Require directives, and
 no merging of authz configurations by default.  This whole thread
 started because I was trying mod_authz_dbd and noticed it didn't
 work as expected because AuthzMergeRules was On (i.e., OR) by default.
 (In my previous message I described switching to an AND-like default
 context for Require directives, but realized before committing that
 that would break with this prime directive of backwards-compatibility.)
 
   So, if people could please test with 2.2-style authz configurations
 and make sure everything works as expected, that would be superb.

One of the authz tests breaks on trunk since a long time (I think it
started to break after Brad refactored the code):

t/http11/basicauth1..3
# Running under perl version 5.008008 for linux
# Current time local: Mon Nov  3 20:46:36 2008
# Current time GMT:   Mon Nov  3 19:46:36 2008
# Using Test.pm version 1.25
# Using Apache/Test.pm version 1.31
ok 1
not ok 2
# Failed test 2 in t/http11/basicauth.t at line 24
ok 3
FAILED test 2
Failed 1/3 tests, 66.67% okay
Failed Test  Stat Wstat Total Fail  Failed  List of Failed
---
t/http11/basicauth.t31  33.33%  2
Failed 1/1 test scripts, 0.00% okay. 1/3 subtests failed, 66.67% okay.


I was hoping that your patches would fix this, but sadly they did not.
From what I reviewed, the authz code should now react similar to the
2.2.x authz code, but apprently it does not.
As you have crawled that deeply in the authz code you seem to be
the natural person to have a look at this failing test :-).
I think this would be greatly appreciated.
Otherwise I think it is cool work that can be used for very
complex configuration needs.

Regards

Rüdiger

mod_unixd troubs?

[Chris Darroch]

Hi --

  I've been trying to get trunk to compile and run today, and
if I compile it without mod_unixd (and with the worker MPM) it compiles
and run, but then logs Server MUST relinquish startup privileges ...
and exits.  If I try to compile mod_unixd, I get compile-time warnings
about conflicts with os/unix/unixd.h and unixd.c.

  The following hack gets it to compile without mod_unixd (not
the intention, I understand) and run without exiting at startup.
I'm guessing the goal is to remove os/unix/unixd.h and unixd.c?
I tried that, naively, and found that the MPM wouldn't compile
because it uses #include unixd.h in mpm.h, etc.

Chris.

Index: os/unix/unixd.c
===
--- os/unix/unixd.c (revision 710182)
+++ os/unix/unixd.c (working copy)
@@ -246,6 +246,8 @@

unixd_config.chroot_dir = NULL; /* none */


+sys_privileges_handlers(1);
+
/* Check for suexec */
unixd_config.suexec_enabled = 0;
if ((apr_stat(wrapper, SUEXEC_BIN,

Re: mod_unixd troubs?

[Nick Kew]

On Mon, 03 Nov 2008 14:49:21 -0800
Chris Darroch [EMAIL PROTECTED] wrote:

 Hi --
 
I've been trying to get trunk to compile and run today, and
 if I compile it without mod_unixd (and with the worker MPM) it

Thanks for the heads-up.  Yes, there's more needs doing for the
prefork/worker/event MPMs.  Hacking on it now, but breakage is
likely for a while longer.

-- 
Nick Kew

Re: mod_unixd troubs?

[Nick Kew]

On Tue, 4 Nov 2008 00:27:24 +
Nick Kew [EMAIL PROTECTED] wrote:

 On Mon, 03 Nov 2008 14:49:21 -0800
 Chris Darroch [EMAIL PROTECTED] wrote:
 
  Hi --
  
 I've been trying to get trunk to compile and run today, and
  if I compile it without mod_unixd (and with the worker MPM) it
 
 Thanks for the heads-up.  Yes, there's more needs doing for the
 prefork/worker/event MPMs.  Hacking on it now, but breakage is
 likely for a while longer.
 

r711146 fixes the worker MPM, by removing the duplicated stuff.
TBD: make it build mod_unixd when prefork/worker/event MPM
is selected - still need to configure that explicitly.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: AuthzMergeRules blocks everything in default configuration

[Chris Darroch]

Ruediger Pluem wrote:


I was hoping that your patches would fix this, but sadly they did not.


  Ironically, the problem appears to have little to do with authz,
but rather authn.  The test httpd logs show it's failing to find
an htpasswd-type file in which to check the user's login and password.
That's because there's no AuthBasicProvider in the test config, and
the code -- since way back, I think -- defaults to the file authn
provider.

  Looking back in SVN it seems like that should have been the
behaviour for quite a number of years, but I confess I didn't dig
too deeply.  Nor did I try out the test suite with 2.2.x to see
if it succeeds as-is, and if so, why.  If it does, my hunch would
be that it succeeds because the suite doesn't actually use the normal
authn/z providers, but rather supplies its own module called mod_authany.c.

  That module contains two different alternative set of functions
based on an #if AP_MODULE_MAGIC_AT_LEAST(20060110, 0) which corresponds
to, I think, an attempt to just get it to compile after the authn/z
refactoring in trunk.  The log comment for r375595 is:

   - attempt to adapt for trunk aaa changes; this doesn't work
   but it does at least compile - not sure whether the problem
   is in this code or the aaa code.

  At any rate, my guess would be that it works (if it does) with
2.2.x because the module supplies its own raw check_user_id (i.e., authn)
and auth_checker (i.e., authz) hook functions which run as APR_HOOK_FIRST
and probably bypass all the stuff in the usual APR_HOOK_MIDDLE hook
functions of mod_auth_basic and mod_authz_file.  So the fact
that it doesn't specify any AuthBasicProvider never comes up because
it bypasses mod_auth_basic entirely.  Just a guess.

  At any rate, the patch below makes it run with trunk, and
properly too, in the sense that it uses mod_authn_core and
mod_authz_core to do the heavy lifting and just supplies a tiny
pair of authn/z providers.  But, this isn't really a perfect
solution because it's not really correct to put the authn provider
into the AP_MODULE_MAGIC_AT_LEAST(20060110, 0) block, since it
doesn't (I think) have anything in particular to do with that
change.  Sorry not to spend more time on this.

Chris.


Index: mod_authany.c
===
--- mod_authany.c   (revision 710145)
+++ mod_authany.c   (working copy)
@@ -5,6 +5,7 @@
   require user any-user
   AuthType Basic
   AuthName authany
+   AuthBasicProvider any
/Location

#endif
@@ -19,6 +20,18 @@
#include ap_provider.h
#include mod_auth.h

+static authn_status authn_check_password(request_rec *r, const char *user,
+ const char *password)
+{
+return strtrue(r-user)  strcmp(r-user, guest) == 0
+? AUTH_GRANTED : AUTH_DENIED;
+}
+
+static const authn_provider authn_any_provider =
+{
+authn_check_password
+};
+
static authz_status any_check_authorization(request_rec *r,
const char *requirement)
{
@@ -28,11 +41,13 @@

static const authz_provider authz_any_provider =
{
-any_check_authorization,
+any_check_authorization
};

static void extra_hooks(apr_pool_t *p)
{
+ap_register_provider(p, AUTHN_PROVIDER_GROUP,
+ any, 0, authn_any_provider);
ap_register_provider(p, AUTHZ_PROVIDER_GROUP,
 user, 0, authz_any_provider);
}

Re: svn commit: r709839 - in /httpd/httpd/trunk: ./ build/ modules/aaa/modules/arch/netware/ os/netware/ os/win32/

[Chris Darroch]

Brad Nicholes wrote:


I haven't tried out the new authnz directives yet, but it at least
builds on NetWare.


  Thanks -- glad to know it compiles, at least!

Chris.

--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B