[Pkg-apache-commits] r1295 - in /trunk/apache2: ./ mpm-itk/ mpm-itk/patches/
sf at alioth.debian.org
sf at alioth.debian.org
Mon Mar 21 22:01:09 UTC 2011
Author: sf
Date: Mon Mar 21 22:00:56 2011
New Revision: 1295
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1295
Log:
New mpm_itk upstream version 2.2.17-01:
- Fix CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
configuration. Closes: #618857
Added:
trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch (with props)
Modified:
trunk/apache2/changelog
trunk/apache2/mpm-itk/CHANGES
trunk/apache2/mpm-itk/patches/01-copy-prefork.patch
trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch
trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch
trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch
trunk/apache2/mpm-itk/patches/05-add-copyright.patch
trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch
trunk/apache2/mpm-itk/patches/07-base-functionality.patch
trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch
trunk/apache2/mpm-itk/patches/09-capabilities.patch
trunk/apache2/mpm-itk/patches/10-nice.patch
trunk/apache2/mpm-itk/patches/series
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1295&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Mon Mar 21 22:00:56 2011
@@ -1,5 +1,10 @@
-apache2 (2.2.17-2) UNRELEASED; urgency=low
-
+apache2 (2.2.17-2) UNRELEASED; urgency=high
+
+ * New mpm_itk upstream version 2.2.17-01:
+ - Fix CVE-2011-1176: If NiceValue was set, the default with no
+ AssignUserID was to run as root:root instead of the default Apache user
+ and group, due to the configuration merger having an incorrect default
+ configuration. Closes: #618857
* Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
Closes: #613969
* Set the default file descriptor limit to 8192 instead of whatever the
Modified: trunk/apache2/mpm-itk/CHANGES
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/CHANGES?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/CHANGES (original)
+++ trunk/apache2/mpm-itk/CHANGES Mon Mar 21 22:00:56 2011
@@ -1,3 +1,15 @@
+apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
+
+ * Fixed CVE-2011-1176: If NiceValue was set, the default with no
+ AssignUserID was to run as root:root instead of the default Apache user
+ and group, due to the configuration merger having an incorrect default
+ configuration.
+ * Rebase against Apache 2.2.17.
+ * Fix an issue where users can sometimes get spurious 403s on persistent
+ connections, if the .htaccess files are not world readable.
+ * In the config merger, don't reallocate the username, since it's already
+ in the correct pool. (This is not a memory leak, only a small inefficiency.)
+
apache2.2-mpm-itk 2.2.11-02, released 2009-04-14:
* Really fix the waitpid() code; thanks to Dave Cundiff for spotting the typo.
Modified: trunk/apache2/mpm-itk/patches/01-copy-prefork.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/01-copy-prefork.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/01-copy-prefork.patch (original)
+++ trunk/apache2/mpm-itk/patches/01-copy-prefork.patch Mon Mar 21 22:00:56 2011
@@ -5,29 +5,29 @@
cp server/mpm/prefork/* server/mpm/experimental/itk/
mv server/mpm/experimental/itk/prefork.c server/mpm/experimental/itk/itk.c
-Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in
+Index: httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
@@ -0,0 +1,5 @@
+
+LTLIBRARY_NAME = libprefork.la
+LTLIBRARY_SOURCES = prefork.c
+
+include $(top_srcdir)/build/ltlib.mk
-Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
@@ -0,0 +1,3 @@
+if test "$MPM_NAME" = "prefork" ; then
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
+fi
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-17 21:38:54.000000000 +0100
-@@ -0,0 +1,1486 @@
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -0,0 +1,1503 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
@@ -547,8 +547,12 @@
+ (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL);
+
+ /* Set up the pollfd array */
-+ /* ### check the status */
-+ (void) apr_pollset_create(&pollset, num_listensocks, pchild, 0);
++ status = apr_pollset_create(&pollset, num_listensocks, pchild, 0);
++ if (status != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
++ "Couldn't create pollset in child; check system or user limits");
++ clean_child_exit(APEXIT_CHILDSICK); /* assume temporary resource issue */
++ }
+
+ for (lr = ap_listeners, i = num_listensocks; i--; lr = lr->next) {
+ apr_pollfd_t pfd = { 0 };
@@ -603,19 +607,27 @@
+ apr_int32_t numdesc;
+ const apr_pollfd_t *pdesc;
+
-+ /* timeout == -1 == wait forever */
-+ status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
++ /* check for termination first so we don't sleep for a while in
++ * poll if already signalled
++ */
++ if (one_process && shutdown_pending) {
++ SAFE_ACCEPT(accept_mutex_off());
++ return;
++ }
++ else if (die_now) {
++ /* In graceful stop/restart; drop the mutex
++ * and terminate the child. */
++ SAFE_ACCEPT(accept_mutex_off());
++ clean_child_exit(0);
++ }
++ /* timeout == 10 seconds to avoid a hang at graceful restart/stop
++ * caused by the closing of sockets by the signal handler
++ */
++ status = apr_pollset_poll(pollset, apr_time_from_sec(10),
++ &numdesc, &pdesc);
+ if (status != APR_SUCCESS) {
-+ if (APR_STATUS_IS_EINTR(status)) {
-+ if (one_process && shutdown_pending) {
-+ return;
-+ }
-+ else if (die_now) {
-+ /* In graceful stop/restart; drop the mutex
-+ * and terminate the child. */
-+ SAFE_ACCEPT(accept_mutex_off());
-+ clean_child_exit(0);
-+ }
++ if (APR_STATUS_IS_TIMEUP(status) ||
++ APR_STATUS_IS_EINTR(status)) {
+ continue;
+ }
+ /* Single Unix documents select as returning errnos
@@ -697,6 +709,11 @@
+ die_now = 1;
+ }
+ }
++ /* This apr_pool_clear call is redundant, should be redundant, but compensates
++ * a flaw in the apr reslist code. This should be removed once that flaw has
++ * been addressed.
++ */
++ apr_pool_clear(ptrans);
+ clean_child_exit(0);
+}
+
@@ -1514,10 +1531,10 @@
+ prefork_cmds, /* command apr_table_t */
+ prefork_hooks, /* register hooks */
+};
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
@@ -0,0 +1,62 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@@ -1581,10 +1598,10 @@
+extern server_rec *ap_server_conf;
+#endif /* APACHE_MPM_PREFORK_H */
+/** @} */
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
@@ -0,0 +1,74 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
Modified: trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch (original)
+++ trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch Mon Mar 21 22:00:56 2011
@@ -1,9 +1,9 @@
Rename prefork to itk in the copy that was created in 01-copy-prefork.patch.
-Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in
+Index: httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/Makefile.in
++++ httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
@@ -1,5 +1,5 @@
-LTLIBRARY_NAME = libprefork.la
@@ -12,20 +12,20 @@
+LTLIBRARY_SOURCES = itk.c
include $(top_srcdir)/build/ltlib.mk
-Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/config.m4
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
@@ -1,3 +1,3 @@
-if test "$MPM_NAME" = "prefork" ; then
+if test "$MPM_NAME" = "itk" ; then
APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
fi
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-17 21:39:03.000000000 +0100
-@@ -1250,7 +1250,7 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -1267,7 +1267,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
/* This really should be a post_config hook, but the error log is already
* redirected by that point, so we need to do this in the open_logs phase.
*/
@@ -34,7 +34,7 @@
{
apr_status_t rv;
-@@ -1271,7 +1271,7 @@
+@@ -1288,7 +1288,7 @@ static int prefork_open_logs(apr_pool_t
return OK;
}
@@ -43,7 +43,7 @@
{
static int restart_num = 0;
int no_detach, debug, foreground;
-@@ -1328,9 +1328,9 @@
+@@ -1345,9 +1345,9 @@ static int prefork_pre_config(apr_pool_t
return OK;
}
@@ -55,7 +55,7 @@
* will be redirected to a file, and the messages won't print to the
* console.
*/
-@@ -1340,11 +1340,11 @@
+@@ -1357,11 +1357,11 @@ static void prefork_hooks(apr_pool_t *p)
(void) set42sig();
#endif
@@ -69,7 +69,7 @@
}
static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg)
-@@ -1457,7 +1457,7 @@
+@@ -1474,7 +1474,7 @@ static const char *set_server_limit (cmd
return NULL;
}
@@ -78,7 +78,7 @@
UNIX_DAEMON_COMMANDS,
LISTEN_COMMANDS,
AP_INIT_TAKE1("StartServers", set_daemons_to_start, NULL, RSRC_CONF,
-@@ -1474,13 +1474,13 @@
+@@ -1491,13 +1491,13 @@ AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
{ NULL }
};
@@ -95,10 +95,10 @@
+ itk_cmds, /* command apr_table_t */
+ itk_hooks, /* register hooks */
};
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h 2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
@@ -15,10 +15,10 @@
*/
@@ -137,10 +137,10 @@
-#endif /* APACHE_MPM_PREFORK_H */
+#endif /* APACHE_MPM_ITK_H */
/** @} */
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm_default.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
@@ -15,10 +15,10 @@
*/
Modified: trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch (original)
+++ trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch Mon Mar 21 22:00:56 2011
@@ -1,10 +1,10 @@
Add the new MPM to the build system as an alternative to the other MPMs,
and mark it as experimental.
-Index: apache2.2/server/mpm/config.m4
+Index: httpd-2.2.17/server/mpm/config.m4
===================================================================
---- apache2.2.orig/server/mpm/config.m4 2007-01-29 21:30:26.000000000 +0100
-+++ apache2.2/server/mpm/config.m4 2007-01-29 21:30:35.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/config.m4
++++ httpd-2.2.17/server/mpm/config.m4
@@ -1,7 +1,7 @@
AC_MSG_CHECKING(which MPM to use)
AC_ARG_WITH(mpm,
@@ -14,7 +14,7 @@
APACHE_MPM=$withval
],[
if test "x$APACHE_MPM" = "x"; then
-@@ -23,7 +23,7 @@
+@@ -23,7 +23,7 @@ ap_mpm_is_threaded ()
ap_mpm_is_experimental ()
{
Modified: trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch (original)
+++ trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch Mon Mar 21 22:00:56 2011
@@ -2,10 +2,10 @@
with the MPM in) instead of MPM_NAME (which returns the name of the MPM);
they differ since the MPM is in experimental/.
-Index: apache2.2/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
===================================================================
---- apache2.2.orig/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:51.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:57.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/config.m4
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
@@ -1,3 +1,3 @@
if test "$MPM_NAME" = "itk" ; then
- APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
Modified: trunk/apache2/mpm-itk/patches/05-add-copyright.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/05-add-copyright.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/05-add-copyright.patch (original)
+++ trunk/apache2/mpm-itk/patches/05-add-copyright.patch Mon Mar 21 22:00:56 2011
@@ -1,9 +1,9 @@
Add copyright notices, as the next patches are going to add code.
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@@ -17,10 +17,10 @@
*/
#include "apr.h"
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@@ -34,10 +34,10 @@
*/
/**
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm_default.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@@ -51,10 +51,10 @@
*/
/**
-Index: httpd-2.2.11/include/http_request.h
+Index: httpd-2.2.17/include/http_request.h
===================================================================
---- httpd-2.2.11.orig/include/http_request.h 2009-03-21 13:03:19.000000000 +0100
-+++ httpd-2.2.11/include/http_request.h 2009-03-21 13:03:31.000000000 +0100
+--- httpd-2.2.17.orig/include/http_request.h
++++ httpd-2.2.17/include/http_request.h
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@@ -68,10 +68,10 @@
*/
/**
-Index: httpd-2.2.11/server/request.c
+Index: httpd-2.2.17/server/request.c
===================================================================
---- httpd-2.2.11.orig/server/request.c 2009-03-21 13:03:04.000000000 +0100
-+++ httpd-2.2.11/server/request.c 2009-03-21 13:03:13.000000000 +0100
+--- httpd-2.2.17.orig/server/request.c
++++ httpd-2.2.17/server/request.c
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
Modified: trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch (original)
+++ trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch Mon Mar 21 22:00:56 2011
@@ -3,11 +3,11 @@
is, as soon as know what uid/gid to use for this location), so we
won't run all sorts of subrequests and other stuff as root.
-Index: httpd-2.2.11/include/http_request.h
+Index: httpd-2.2.17/include/http_request.h
===================================================================
---- httpd-2.2.11.orig/include/http_request.h 2009-03-21 13:03:31.000000000 +0100
-+++ httpd-2.2.11/include/http_request.h 2009-03-21 13:03:41.000000000 +0100
-@@ -356,6 +356,15 @@
+--- httpd-2.2.17.orig/include/http_request.h
++++ httpd-2.2.17/include/http_request.h
+@@ -356,6 +356,15 @@ AP_DECLARE_HOOK(int,auth_checker,(reques
*/
AP_DECLARE_HOOK(void,insert_filter,(request_rec *r))
@@ -23,11 +23,11 @@
AP_DECLARE(int) ap_location_walk(request_rec *r);
AP_DECLARE(int) ap_directory_walk(request_rec *r);
AP_DECLARE(int) ap_file_walk(request_rec *r);
-Index: httpd-2.2.11/server/request.c
+Index: httpd-2.2.17/server/request.c
===================================================================
---- httpd-2.2.11.orig/server/request.c 2009-03-21 13:03:13.000000000 +0100
-+++ httpd-2.2.11/server/request.c 2009-03-21 13:03:41.000000000 +0100
-@@ -67,6 +67,7 @@
+--- httpd-2.2.17.orig/server/request.c
++++ httpd-2.2.17/server/request.c
+@@ -67,6 +67,7 @@ APR_HOOK_STRUCT(
APR_HOOK_LINK(auth_checker)
APR_HOOK_LINK(insert_filter)
APR_HOOK_LINK(create_request)
@@ -35,7 +35,7 @@
)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
-@@ -86,6 +87,8 @@
+@@ -86,6 +87,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int,auth_che
AP_IMPLEMENT_HOOK_VOID(insert_filter, (request_rec *r), (r))
AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request,
(request_rec *r), (r), OK, DECLINED)
@@ -44,7 +44,7 @@
static int decl_die(int status, char *phase, request_rec *r)
-@@ -164,6 +167,13 @@
+@@ -164,6 +167,13 @@ AP_DECLARE(int) ap_process_request_inter
return access_status;
}
Modified: trunk/apache2/mpm-itk/patches/07-base-functionality.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/07-base-functionality.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/07-base-functionality.patch (original)
+++ trunk/apache2/mpm-itk/patches/07-base-functionality.patch Mon Mar 21 22:00:56 2011
@@ -1,10 +1,10 @@
Add the base functionality of mpm_itk over prefork; parse the new configuration
options, fork on each new connection, and setuid() as required.
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 23:52:01.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:27:51.000000000 +0200
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
@@ -26,6 +26,11 @@
#include "apr_thread_proc.h"
#include "apr_signal.h"
@@ -25,7 +25,7 @@
#include "scoreboard.h"
#include "ap_mpm.h"
#include "unixd.h"
-@@ -146,6 +152,15 @@
+@@ -146,6 +152,15 @@ char tpf_server_name[INETD_SERVNAME_LENG
static volatile int die_now = 0;
@@ -41,7 +41,7 @@
#ifdef GPROF
/*
* change directory for gprof to plop the gmon.out file
-@@ -512,10 +527,6 @@
+@@ -512,10 +527,6 @@ static void child_main(int child_num_arg
clean_child_exit(APEXIT_CHILDFATAL);
}
@@ -52,7 +52,7 @@
ap_run_child_init(pchild, ap_server_conf);
ap_create_sb_handle(&sbh, pchild, my_child_num, 0);
-@@ -651,10 +662,38 @@
+@@ -663,10 +674,38 @@ static void child_main(int child_num_arg
* socket options, file descriptors, and read/write buffers.
*/
@@ -95,7 +95,7 @@
}
/* Check the pod and the generation number after processing a
-@@ -672,6 +711,10 @@
+@@ -684,6 +723,10 @@ static void child_main(int child_num_arg
*/
die_now = 1;
}
@@ -104,9 +104,9 @@
+ if (getuid())
+ die_now = 1;
}
- clean_child_exit(0);
- }
-@@ -1334,6 +1377,56 @@
+ /* This apr_pool_clear call is redundant, should be redundant, but compensates
+ * a flaw in the apr reslist code. This should be removed once that flaw has
+@@ -1351,6 +1394,56 @@ static int itk_pre_config(apr_pool_t *p,
return OK;
}
@@ -163,7 +163,7 @@
static void itk_hooks(apr_pool_t *p)
{
/* The itk open_logs phase must run before the core's, or stderr
-@@ -1351,6 +1444,9 @@
+@@ -1368,6 +1461,9 @@ static void itk_hooks(apr_pool_t *p)
* to retrieve it, so register as REALLY_FIRST
*/
ap_hook_pre_config(itk_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST);
@@ -173,7 +173,7 @@
}
static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg)
-@@ -1463,6 +1559,15 @@
+@@ -1480,6 +1576,15 @@ static const char *set_server_limit (cmd
return NULL;
}
@@ -189,7 +189,7 @@
static const command_rec itk_cmds[] = {
UNIX_DAEMON_COMMANDS,
LISTEN_COMMANDS,
-@@ -1476,14 +1581,25 @@
+@@ -1493,14 +1598,25 @@ AP_INIT_TAKE1("MaxClients", set_max_clie
"Maximum number of children alive at the same time"),
AP_INIT_TAKE1("ServerLimit", set_server_limit, NULL, RSRC_CONF,
"Maximum value of MaxClients for this run of Apache"),
Modified: trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch (original)
+++ trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch Mon Mar 21 22:00:56 2011
@@ -2,11 +2,11 @@
per-directory (since it works by reading the scoreboard), so we need to add
per-server configuration data.
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 13:03:45.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-21 13:03:50.000000000 +0100
-@@ -159,6 +159,11 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -159,6 +159,11 @@ typedef struct
char *username;
} itk_per_dir_conf;
@@ -18,7 +18,7 @@
module AP_MODULE_DECLARE_DATA mpm_itk_module;
#ifdef GPROF
-@@ -1383,6 +1388,26 @@
+@@ -1400,6 +1405,26 @@ static int itk_post_perdir_config(reques
gid_t wanted_gid;
const char *wanted_username;
int err = 0;
@@ -45,7 +45,7 @@
itk_per_dir_conf *dconf =
(itk_per_dir_conf *) ap_get_module_config(r->per_dir_config, &mpm_itk_module);
-@@ -1568,6 +1593,14 @@
+@@ -1585,6 +1610,14 @@ static const char *assign_user_id (cmd_p
return NULL;
}
@@ -60,7 +60,7 @@
static const command_rec itk_cmds[] = {
UNIX_DAEMON_COMMANDS,
LISTEN_COMMANDS,
-@@ -1583,6 +1616,8 @@
+@@ -1600,6 +1633,8 @@ AP_INIT_TAKE1("ServerLimit", set_server_
"Maximum value of MaxClients for this run of Apache"),
AP_INIT_TAKE2("AssignUserID", assign_user_id, NULL, RSRC_CONF|ACCESS_CONF,
"Tie a virtual host to a specific child process."),
@@ -69,7 +69,7 @@
AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
{ NULL }
};
-@@ -1596,12 +1631,21 @@
+@@ -1613,12 +1648,21 @@ static void *itk_create_dir_config(apr_p
return c;
}
Modified: trunk/apache2/mpm-itk/patches/09-capabilities.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/09-capabilities.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/09-capabilities.patch (original)
+++ trunk/apache2/mpm-itk/patches/09-capabilities.patch Mon Mar 21 22:00:56 2011
@@ -3,10 +3,10 @@
code will still be able to run as any (normal) user on the system, but at least
he/she cannot directly load kernel code etc.
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-04-14 23:28:02.000000000 +0200
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
@@ -71,6 +71,10 @@
#include <sys/processor.h> /* for bindprocessor() */
#endif
@@ -18,7 +18,7 @@
#include <signal.h>
#include <sys/times.h>
-@@ -501,6 +505,15 @@
+@@ -501,6 +505,15 @@ static void child_main(int child_num_arg
apr_bucket_alloc_t *bucket_alloc;
int last_poll_idx = 0;
@@ -34,7 +34,7 @@
mpm_state = AP_MPMQ_STARTING; /* for benefit of any hooks that run as this
* child initializes
*/
-@@ -554,6 +567,22 @@
+@@ -558,6 +571,22 @@ static void child_main(int child_num_arg
(void) apr_pollset_add(pollset, &pfd);
}
@@ -57,11 +57,11 @@
mpm_state = AP_MPMQ_RUNNING;
bucket_alloc = apr_bucket_alloc_create(pchild);
-Index: httpd-2.2.11/server/mpm/config.m4
+Index: httpd-2.2.17/server/mpm/config.m4
===================================================================
---- httpd-2.2.11.orig/server/mpm/config.m4 2009-04-14 23:26:41.000000000 +0200
-+++ httpd-2.2.11/server/mpm/config.m4 2009-04-14 23:28:03.000000000 +0200
-@@ -66,6 +66,11 @@
+--- httpd-2.2.17.orig/server/mpm/config.m4
++++ httpd-2.2.17/server/mpm/config.m4
+@@ -66,6 +66,11 @@ if ap_mpm_is_experimental; then
else
MPM_SUBDIR_NAME=$MPM_NAME
fi
Modified: trunk/apache2/mpm-itk/patches/10-nice.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/10-nice.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/10-nice.patch (original)
+++ trunk/apache2/mpm-itk/patches/10-nice.patch Mon Mar 21 22:00:56 2011
@@ -1,11 +1,11 @@
Support a per-location nice value. Note that since we now have two different settings
in the per-dir configuration, we need to introduce a merge function.
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:31:05.000000000 +0200
-@@ -156,11 +156,14 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -156,11 +156,14 @@ char tpf_server_name[INETD_SERVNAME_LENG
static volatile int die_now = 0;
@@ -20,7 +20,7 @@
} itk_per_dir_conf;
typedef struct
-@@ -511,6 +514,7 @@
+@@ -511,6 +514,7 @@ static void child_main(int child_num_arg
CAP_SETUID,
CAP_SETGID,
CAP_DAC_READ_SEARCH,
@@ -28,7 +28,7 @@
};
#endif
-@@ -1444,6 +1448,12 @@
+@@ -1461,6 +1465,12 @@ static int itk_post_perdir_config(reques
strncpy(ap_scoreboard_image->servers[my_child_num][0].vhost, r->server->server_hostname, 31);
ap_scoreboard_image->servers[my_child_num][0].vhost[31] = 0;
@@ -41,7 +41,7 @@
wanted_uid = dconf->uid;
wanted_gid = dconf->gid;
wanted_username = dconf->username;
-@@ -1454,7 +1464,7 @@
+@@ -1471,7 +1481,7 @@ static int itk_post_perdir_config(reques
wanted_username = unixd_config.user_name;
}
@@ -50,7 +50,7 @@
if (setgid(wanted_gid)) {
_DBG("setgid(%d): %s", wanted_gid, strerror(errno));
err = 1;
-@@ -1474,7 +1484,7 @@
+@@ -1491,7 +1501,7 @@ static int itk_post_perdir_config(reques
*/
if (err) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \
@@ -59,7 +59,7 @@
ap_lingering_close(r->connection);
exit(0);
}
-@@ -1630,6 +1640,27 @@
+@@ -1647,6 +1657,27 @@ static const char *set_max_clients_vhost
return NULL;
}
@@ -87,7 +87,7 @@
static const command_rec itk_cmds[] = {
UNIX_DAEMON_COMMANDS,
LISTEN_COMMANDS,
-@@ -1647,6 +1678,8 @@
+@@ -1664,6 +1695,8 @@ AP_INIT_TAKE2("AssignUserID", assign_use
"Tie a virtual host to a specific child process."),
AP_INIT_TAKE1("MaxClientsVHost", set_max_clients_vhost, NULL, RSRC_CONF,
"Maximum number of children alive at the same time for this virtual host."),
@@ -96,7 +96,7 @@
AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
{ NULL }
};
-@@ -1657,6 +1690,32 @@
+@@ -1674,6 +1707,32 @@ static void *itk_create_dir_config(apr_p
itk_per_dir_conf *c = (itk_per_dir_conf *)
apr_pcalloc(p, sizeof(itk_per_dir_conf));
c->uid = c->gid = -1;
@@ -108,16 +108,16 @@
+static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr, void *child_ptr)
+{
+ itk_per_dir_conf *c = (itk_per_dir_conf *)
-+ apr_pcalloc(p, sizeof(itk_per_dir_conf));
++ itk_create_dir_config(p, NULL);
+ itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr;
+ itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr;
+
+ if (child->username != NULL) {
-+ c->username = apr_pstrdup(p, child->username);
++ c->username = child->username;
+ c->uid = child->uid;
+ c->gid = child->gid;
-+ } else if (parent->username != NULL) {
-+ c->username = apr_pstrdup(p, parent->username);
++ } else {
++ c->username = parent->username;
+ c->uid = parent->uid;
+ c->gid = parent->gid;
+ }
@@ -129,7 +129,7 @@
return c;
}
-@@ -1673,7 +1732,7 @@
+@@ -1690,7 +1749,7 @@ module AP_MODULE_DECLARE_DATA mpm_itk_mo
MPM20_MODULE_STUFF,
ap_mpm_rewrite_args, /* hook to run before apache parses args */
itk_create_dir_config, /* create per-directory config structure */
Added: trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch?rev=1295&op=file
==============================================================================
--- trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch (added)
+++ trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch Mon Mar 21 22:00:56 2011
@@ -1,0 +1,45 @@
+Fix an issue where users can sometimes get spurious 403s on persistent
+connections (the description in the comments explains the logic).
+This would particularly hit people with reverse proxies, since these
+have a higher tendency of accessing things from different vhosts in
+the same connection.
+
+Index: httpd-2.2.17/server/config.c
+===================================================================
+--- httpd-2.2.17.orig/server/config.c
++++ httpd-2.2.17/server/config.c
+@@ -1840,6 +1840,34 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
+ else {
+ if (!APR_STATUS_IS_ENOENT(status)
+ && !APR_STATUS_IS_ENOTDIR(status)) {
++#ifdef ITK_MPM
++ /*
++ * If we are in a persistent connection, we might end up in a state
++ * where we can no longer read .htaccess files because we have already
++ * setuid(). This can either be because the previous request was for
++ * another vhost (basically the same problem as when setuid() fails in
++ * itk.c), or it can be because a .htaccess file is readable only by
++ * root.
++ *
++ * In any case, we don't want to give out a 403, since the request has
++ * a very real chance of succeeding on a fresh connection (where
++ * presumably uid=0). Thus, we give up serving the request on this
++ * TCP connection, and do a hard close of the socket. As long as we're
++ * in a persistent connection (and there _should_ not be a way this
++ * would happen on the first request in a connection, save for subrequests,
++ * which we special-case), this is allowed, as it is what happens on
++ * a timeout. The browser will simply open a new connection and try
++ * again (there's of course a performance hit, though, both due to
++ * the new connection setup and the fork() of a new server child).
++ */
++ if (r->main == NULL && getuid() != 0) {
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
++ "Couldn't read %s, closing connection.",
++ filename);
++ ap_lingering_close(r->connection);
++ exit(0);
++ }
++#endif
+ ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r,
+ "%s pcfg_openfile: unable to check htaccess file, "
+ "ensure it is readable",
Propchange: trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch
------------------------------------------------------------------------------
svn:eol-style = native
Modified: trunk/apache2/mpm-itk/patches/series
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/series?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/series (original)
+++ trunk/apache2/mpm-itk/patches/series Mon Mar 21 22:00:56 2011
@@ -8,3 +8,4 @@
08-max-clients-per-vhost.patch
09-capabilities.patch
10-nice.patch
+11-fix-htaccess-reads-for-persistent-connections.patch
More information about the Pkg-apache-commits
mailing list