Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
Package: apache-ssl Version: 1.3.33-3 Severity: important When I just upgraded apache-ssl, the postinst script did these modifications without asking me: canardo:/etc/apache-ssl# cvs diff -u httpd.conf Index: httpd.conf === RCS file: /usr/local/cvsroot/canardo_etc/apache-ssl/httpd.conf,v retrieving revision 1.16 diff -u -r1.16 httpd.conf --- httpd.conf 5 Jan 2005 14:29:46 - 1.16 +++ httpd.conf 25 Jan 2005 08:21:01 - @@ -37,7 +37,7 @@ ### Section 2: 'Main' server configuration BindAddress www.mork.no -Port 80 +Port 443 Listen www.mork.no:443 Listen www.mork.no:80 User www-data @@ -417,3 +417,9 @@ Include /etc/cacti/apache.conf /VirtualHost + +# Automatically added by the post-installation script +# as part of the transition to a config directory layout +# similar to apache2, and that will help users to migrate +# from apache to apache2 or revert back easily +Include /etc/apache-ssl/conf.d This is quite serious, since changing the bind port changes the configuration in a way which cannot be done safely. How would you know what the admins intentions are? Luckily, I also had a virtual server running on port 443, so I noticed an uexpected error caused by the above change. Bjørn -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (650, 'testing'), (600, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages apache-ssl depends on: ii apache-common 1.3.33-3 support files for all Apache webse ii debconf 1.4.30.11Debian configuration management sy ii dpkg1.10.26 Package maintenance system for Deb ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libdb4.24.2.52-17Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libmagic1 4.12-1 File type determination library us ii libssl0.9.7 0.9.7e-2 SSL shared libraries ii logrotate 3.7-2Log rotation utility ii mime-support3.28-1 MIME files 'mime.types' 'mailcap ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a ii perl5.8.4-5 Larry Wall's Practical Extraction ii ssl-cert1.0-11 Simple debconf wrapper for openssl -- debconf information: apache-ssl/server-name: www.mork.no apache-ssl/server-admin: [EMAIL PROTECTED] * apache-ssl/enable-suexec: true apache-ssl/init: true apache-ssl/document-root: /home/www/mork.no
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bjørn Mork wrote: | Package: apache-ssl | Version: 1.3.33-3 | Severity: important | | When I just upgraded apache-ssl, the postinst script did these modifications | without asking me: This is sounds quite impossible because apache uses debconf via ucf to ask if it is allowed to modify configurations or not and the level of interaction is decided by the user via dpkg-reconfigure debconf. If you have set it to non-interactive than of course things do not get asked. Please let me know if i missed something and if you can kindly check the above values. Thanks Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9gphhCzbekR3nhgRAjCtAJsGJxKuoGSZixTgfGl4GjRmrOFrgwCggLpY MV9x6ADi2z3cDVjwdWBNXYU= =5ttB -END PGP SIGNATURE-
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: Bjørn Mork wrote: | Package: apache-ssl | Version: 1.3.33-3 | Severity: important | | When I just upgraded apache-ssl, the postinst script did these modifications | without asking me: This is sounds quite impossible because apache uses debconf via ucf to ask if it is allowed to modify configurations or not and the level of interaction is decided by the user via dpkg-reconfigure debconf. If you have set it to non-interactive than of course things do not get asked. I don't think I have, but I have been wrong once before ;-) Can't find any evidence of it though: canardo:/etc/apache-ssl# egrep -v ^# /etc/debconf.conf Config: configdb Templates: templatedb Name: config Driver: File Mode: 644 Reject-Type: password Filename: /var/cache/debconf/config.dat Name: passwords Driver: File Mode: 600 Backup: false Required: false Accept-Type: password Filename: /var/cache/debconf/passwords.dat Name: configdb Driver: Stack Stack: config, passwords Name: templatedb Driver: File Mode: 644 Filename: /var/cache/debconf/templates.dat canardo:/etc/apache-ssl# egrep -A5 '^Name: debconf' /var/cache/debconf/config.dat Name: debconf/frontend Template: debconf/frontend Value: Dialog Owners: debconf Flags: seen Name: debconf/priority Template: debconf/priority Value: medium Owners: debconf Flags: seen canardo:/etc/apache-ssl# echo x$DEBIAN_FRONTEND x Anything else I should check? Bjørn
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bjørn Mork wrote: | Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: | | |Bjørn Mork wrote: || Package: apache-ssl || Version: 1.3.33-3 || Severity: important || || When I just upgraded apache-ssl, the postinst script did these modifications || without asking me: | |This is sounds quite impossible because apache uses debconf via ucf to ask if it is |allowed to modify configurations or not and the level of interaction is decided |by the user via dpkg-reconfigure debconf. | |If you have set it to non-interactive than of course things do not get asked. | | | I don't think I have, but I have been wrong once before ;-) Can't | find any evidence of it though: | they look ok... | Anything else I should check? If you can efford to do a test break it would be great if you can rever the changes to the old config and do: dpkg-reconfigure apache-ssl and see if for some reason it happens again. Thanks Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9hUchCzbekR3nhgRAq2bAJ4kh9eegmSk1v1TGP6xn5g61ZBKuQCghMb9 pW1cWHjFHvwlVyypWKansjc= =IRPA -END PGP SIGNATURE-
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: Bjørn Mork wrote: | Anything else I should check? If you can efford to do a test break it would be great if you can rever the changes to the old config and do: dpkg-reconfigure apache-ssl and see if for some reason it happens again. No, that didn't provoke it. I got the questions I already had answered but /etc/apache-ssl/httpd.conf was not changed. That includes the Include /etc/apache-ssl/conf.d which was not added either this time. Then I tried downgrading to 1.3.33-2 and upgrading again, but that didn't change the config either. Hmm, seems I can't reproduce the error so it should probably be archived as a bogus report. Please feel free to do so if you like. I am still wondering how the file got changed, though... Bjørn
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bjørn Mork wrote: | Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: | |Bjørn Mork wrote: | || Anything else I should check? | |If you can efford to do a test break it would be great if you can rever the changes |to the old config and do: | |dpkg-reconfigure apache-ssl | |and see if for some reason it happens again. | | | No, that didn't provoke it. I got the questions I already had | answered but /etc/apache-ssl/httpd.conf was not changed. That | includes the | | Include /etc/apache-ssl/conf.d | | which was not added either this time. | | Then I tried downgrading to 1.3.33-2 and upgrading again, but that | didn't change the config either. | | Hmm, seems I can't reproduce the error so it should probably be | archived as a bogus report. Please feel free to do so if you like. | | I am still wondering how the file got changed, though... | | | Bjørn Ah hold on.. one more test please.. i forgot about the md5sum check. Put the old config in place and edit (very carefully!) /var/lib/ucf/hashfile with the proper md5sum for /etc/apache-ssl/httpd.conf and test the upgrade again. Thanks Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9h8whCzbekR3nhgRAn9JAJ9CA8RrtJyZXtiADCHUGo8q1JNeAACbBp+5 d8FmBY0hv6af8SfdwQrpucM= =dvn7 -END PGP SIGNATURE-
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bjørn Mork wrote: | Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: | | |Ah hold on.. one more test please.. i forgot about the md5sum check. | |Put the old config in place and edit (very carefully!) /var/lib/ucf/hashfile |with the proper md5sum for /etc/apache-ssl/httpd.conf |and test the upgrade again. | | | | Yup, that's it: | | canardo:/etc/apache-ssl# md5sum -vc /var/lib/ucf/hashfile | /etc/logrotate.d/clamav-daemon FAILED | /etc/clamav/clamav.confmd5sum: can't open /etc/clamav/clamav.conf | /etc/papersize OK | /etc/nagios/checkcommands.cfg FAILED | /etc/clamav/freshclam.conf OK | /etc/clamav/clamd.conf OK | /etc/fonts/local.conf OK | /etc/apache-ssl/modules.conf OK | /etc/sensors.conf OK | /etc/apache-ssl/httpd.conf OK | md5sum: 2 of 9 file(s) failed MD5 check | canardo:/etc/apache-ssl# grep Port httpd.conf | Port 80 | SSLCacheServerPort /var/run/gcache_port | canardo:/etc/apache-ssl# apt-get dist-upgrade | Reading Package Lists... Done | Building Dependency Tree... Done | Calculating Upgrade... Done | The following packages will be upgraded: | apache-common apache-ssl apache-utils | 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. | Need to get 0B/1599kB of archives. | After unpacking 0B of additional disk space will be used. | Do you want to continue? [Y/n] | Preconfiguring packages ... | (Reading database ... 61097 files and directories currently installed.) | Preparing to replace apache-utils 1.3.33-2 (using .../apache-utils_1.3.33-3_i386.deb) ... | Unpacking replacement apache-utils ... | Preparing to replace apache-common 1.3.33-2 (using .../apache-common_1.3.33-3_i386.deb) ... | Unpacking replacement apache-common ... | Preparing to replace apache-ssl 1.3.33-2 (using .../apache-ssl_1.3.33-3_i386.deb) ... | Stopping web server: apache-ssl. | Stopping web server: apache-sslNo process in pidfile `/var/run/apache-ssl.pid' found running; none killed. | . | Unpacking replacement apache-ssl ... | Setting up apache-utils (1.3.33-3) ... | Setting up apache-common (1.3.33-3) ... | | Setting up apache-ssl (1.3.33-3) ... | Replacing config file /etc/apache-ssl/httpd.conf with new version | Starting web server: apache-ssl[Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive | [Tue Jan 25 11:46:24 2005] [warn] NameVirtualHost www.mork.no:80 has no VirtualHosts | . | | canardo:/etc/apache-ssl# grep Port httpd.conf | Port 443 | SSLCacheServerPort /var/run/gcache_port | | | Bjørn All right, i know remember exactly what the problem was/is. Basically older versions of apache-ssl had some problems to work properly with the default port != 443 and that was somehow hardencoded in the config manager for the port. We need to relax it and make it configurable as the other apache flavours. Thanks Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9iXVhCzbekR3nhgRAra9AJ44glG+5S2hCvC+FMWzjRYZfw5KmgCgjuz3 6fTA42Y1MLY7uRt+sL/m7hk= =kA29 -END PGP SIGNATURE-
Bug#292122: /etc/apache-ssl/httpd.conf is modified without questions on upgrade
Fabio Massimo Di Nitto [EMAIL PROTECTED] writes: Ah hold on.. one more test please.. i forgot about the md5sum check. Put the old config in place and edit (very carefully!) /var/lib/ucf/hashfile with the proper md5sum for /etc/apache-ssl/httpd.conf and test the upgrade again. Yup, that's it: canardo:/etc/apache-ssl# md5sum -vc /var/lib/ucf/hashfile /etc/logrotate.d/clamav-daemon FAILED /etc/clamav/clamav.confmd5sum: can't open /etc/clamav/clamav.conf /etc/papersize OK /etc/nagios/checkcommands.cfg FAILED /etc/clamav/freshclam.conf OK /etc/clamav/clamd.conf OK /etc/fonts/local.conf OK /etc/apache-ssl/modules.conf OK /etc/sensors.conf OK /etc/apache-ssl/httpd.conf OK md5sum: 2 of 9 file(s) failed MD5 check canardo:/etc/apache-ssl# grep Port httpd.conf Port 80 SSLCacheServerPort /var/run/gcache_port canardo:/etc/apache-ssl# apt-get dist-upgrade Reading Package Lists... Done Building Dependency Tree... Done Calculating Upgrade... Done The following packages will be upgraded: apache-common apache-ssl apache-utils 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/1599kB of archives. After unpacking 0B of additional disk space will be used. Do you want to continue? [Y/n] Preconfiguring packages ... (Reading database ... 61097 files and directories currently installed.) Preparing to replace apache-utils 1.3.33-2 (using .../apache-utils_1.3.33-3_i386.deb) ... Unpacking replacement apache-utils ... Preparing to replace apache-common 1.3.33-2 (using .../apache-common_1.3.33-3_i386.deb) ... Unpacking replacement apache-common ... Preparing to replace apache-ssl 1.3.33-2 (using .../apache-ssl_1.3.33-3_i386.deb) ... Stopping web server: apache-ssl. Stopping web server: apache-sslNo process in pidfile `/var/run/apache-ssl.pid' found running; none killed. . Unpacking replacement apache-ssl ... Setting up apache-utils (1.3.33-3) ... Setting up apache-common (1.3.33-3) ... Setting up apache-ssl (1.3.33-3) ... Replacing config file /etc/apache-ssl/httpd.conf with new version Starting web server: apache-ssl[Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] VirtualHost www.mork.no:443 overlaps with VirtualHost www.mork.no:443, the first has precedence, perhaps you need a NameVirtualHost directive [Tue Jan 25 11:46:24 2005] [warn] NameVirtualHost www.mork.no:80 has no VirtualHosts . canardo:/etc/apache-ssl# grep Port httpd.conf Port 443 SSLCacheServerPort /var/run/gcache_port Bjørn
