Re: apache module's privileges
On Tue, Dec 15, 2009 at 9:33 PM, Graham Dumpleton graham.dumple...@gmail.com wrote: There is a lot more to it than that. Parts of the code of an Apache module that are run in Apache parent process will run as that user, normally root, but handling of actual requests in an Apache worker process are done as less privileged user. Suggest OP read: http://www.fmc-modeling.org/category/projects/apache/amp/Apache_Modeling_Project.html Thank you! It seems quite interesting! to understand the whole life cycle of Apache configuration and initialisation, and of separate per request life cycle. Graham -- Jordi
Re: Building 2.3.4.alpha on AIX 6.1
Michael Felt wrote: Making install in modules Making install in aaa rm -f /opt/aixt/apache2/modules/mod_authn_file.so /data/prj/alpha/httpd-2.3.4-alpha/srclib/apr/libtool --silent --mode=install install mod_authn_file.la http://mod_authn_file.la /opt/aixt/apache2/modules/ find: bad status-- /opt/aixt/apache2/modules/mod_authn_file.la http://mod_authn_file.la install: File mod_authn_file.lai was not found. make: 1254-004 The error code from the last command is 2. One observation - this snippet is just a snippet from your build output, and the error is that a file isn't found. I would guess the real error is further up in your build, where I predict an error occurred causing the file that isn't found to not be generated in the first place. Can you also clarify what steps you are using to build, specifically command line options. Regards, Graham --
How to combine IP and user based AAA without Satisfy?
Hi, during a test migration from 2.2 to 2.4 I noticed, that the new AAA does not allow to combine ip based AAA with user based. The goal: allow access if either client ip address satisfies conditions or user authenticates via basic auth. Until 2.2 one could use Satisfy Any. The resulting config first checked the ip, and only prompted via basic auth, if the ip was not allowed. In 2.4, *without* using the deprecated Satisfy via mod_access_compat, you will always be prompted by basic auth, because the ip addresses are only used during authz which comes after authn. Is there any solution known to this? Should there be one? Would it make sense to not deprecate Satisfy because of this? Regards, Rainer
Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote: On 26.11.2009 22:06, Ruediger Pluem wrote: On 11/19/2009 04:58 PM, Joe Orton wrote: Yes, I agree, this seems very sensible, I can't see any problem with this. I would prefer to do it in a slightly more general way as below, which would catch the case where any other module's connection filter had buffered the data, and adds appropriate logging. (more general but which required half a day tracking down an obscure bug in the BIO/filters, also fixed below...) Testing on this version very welcome! Anything that prevents this from committing? Ping, Joe? Sorry - trying to keep too many plates spinning at the moment: Done in http://svn.apache.org/viewvc?view=revisionrevision=891282 Regards, Joe
RE: handling request splicing in case of server initiated renegotiation CVE-2009-3555
-Original Message- From: Joe Orton [mailto:jor...@redhat.com] Sent: Mittwoch, 16. Dezember 2009 17:02 To: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote: On 26.11.2009 22:06, Ruediger Pluem wrote: On 11/19/2009 04:58 PM, Joe Orton wrote: Yes, I agree, this seems very sensible, I can't see any problem with this. I would prefer to do it in a slightly more general way as below, which would catch the case where any other module's connection filter had buffered the data, and adds appropriate logging. (more general but which required half a day tracking down an obscure bug in the BIO/filters, also fixed below...) Testing on this version very welcome! Anything that prevents this from committing? Ping, Joe? Sorry - trying to keep too many plates spinning at the moment: Done in http://svn.apache.org/viewvc?view=revisionrevision=891282 Thanks Joe. Regards Rüdiger
