Accepting request 308624 from home:pgajdos

- access_compat now built as shared and disabled by default - amend config to use also old syntax when access_compat is loaded - added apache2-README-access_compat.txt - added apache-find-directive script - see [bnc#896083] and its duplicates OBS-URL: https://build.opensuse.org/request/show/308624 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=446
2015-05-26 08:17:52 +00:00 · 2015-05-26 08:17:52 +00:00 · d7b41eca02
commit d7b41eca02
parent 6f49159b79
14 changed files with 357 additions and 20 deletions
--- a/151
+++ b/151
@ -0,0 +1,151 @@
+#!/bin/bash
+
+exit_code=1
+
+function usage
+{
+  echo "Check for directives in apache configuration (including"
+  echo "potentially reachable .htaccess files)"
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "       options: "
+  echo "              -s string    system configuration root"
+  echo "                           [default: $system_conf_root]"
+  echo "              -d string    directives to search"
+  echo "                           [default: $check_directives]"
+  echo "              -n string    htaccess file name(s)"
+  echo "                           [default: $htaccess_names]"
+  echo "              -q           do not print where directive(s) was found"
+  echo "              -v           as -v plus trace and matched lines"
+  echo "              -h           this help"
+  echo ""
+  echo "Return Value:  0    at least one occurence found in apache config"
+  echo "               1    no occurence found"
+  echo "               2    wrong arguments"
+  echo ""
+  echo "Example: "
+  echo "   $ $0 -s '/etc/apache2/default-server.conf' -n '.htaccess .htconfig' -d 'Require' -v"
+  echo "   Checking /etc/apache2/default-server.conf .. FOUND"
+  echo "   Checking /srv/www/htdocs/foo/.htaccess .. FOUND"
+  echo "   Checking /etc/apache2/conf.d/gitweb.conf .. FOUND"
+  echo "   $"
+}
+
+
+function find_directives_in_file
+{
+  file=$1
+
+  pattern=$(echo $check_directives | 
+    sed 's:\([^ \t]\+\):\\b\1\\b:g' |
+    sed 's:\s\+:\\|:g')
+
+  output=$(cat $file |  sed 's:#.*::' | grep -i "$pattern")
+  if [ $? -eq 0 ]; then 
+    [ $verbosity -ge 1 ] && echo "    Checking $file .. FOUND"
+    [ $verbosity -ge 2 ] && echo "    Output: [$output]"
+    exit_code=0
+  else
+    [ $verbosity -ge 2 ] && echo "    Checking $file .. NOT FOUND"
+  fi
+}
+
+function check_conf_file
+{
+  conf_file=$1
+
+  [ $verbosity -ge 2 ] && echo "CONFIG FILE: $conf_file"
+
+  find_directives_in_file $conf_file
+
+  # check all directories with AllowOverride not None 
+  # for .htaccess files
+  directories=$(grep -i '<directory' $conf_file | 
+    sed 's:#.*::' | 
+    sed 's:.*<directory\s*\([^ \t]*\)\s*>:\1:I' | 
+    tr -d '"')
+
+  find_names=$(echo $htaccess_names | 
+    sed 's:^\s\+::' | 
+    sed 's:\s\+$::' | 
+    sed 's:\s\+: -o -name :g' | 
+    sed 's:^:-name :')
+
+  for dir in $directories; do
+    [ $verbosity -ge 2 ] && echo "  Directory: $dir"
+
+    allow_override=$(grep -i -Pzo "(?s)<directory[\s\"]*$dir.*?</directory>" $conf_file | 
+      sed 's:#.*::'| 
+      grep AllowOverride)
+
+    [ $verbosity -ge 2 ] && echo "    override: $allow_override"
+
+    shopt -s nocasematch
+    if [[ ! $allow_override =~ allowoverride.*none ]]; then
+      for htfile in $(find $dir $find_names); do
+        find_directives_in_file $htfile
+      done
+    fi 
+    shopt -u nocasematch
+  done
+
+  # check all Include or IncludeOptional files recursively
+  include_files=$(grep '^\s*Include' $conf_file | 
+    sed 's:#.*::' | 
+    sed 's:Include[^ ]*\s\+::' | 
+    tr '\n' ' ')
+  [ $verbosity -ge 2 ] && echo "  Include Files: [$include_files]"
+
+  for ifile in $include_files; do
+    if [ -f $ifile ]; then
+      check_conf_file $ifile
+    fi
+  done
+}
+
+system_conf_root="/etc/apache2/httpd.conf"
+check_directives="allow deny order satisfy"
+htaccess_names=".htaccess"
+verbosity=1
+
+while getopts ":hs:d:n:vq" opt; do
+  case $opt in
+    s)
+      system_conf_root=$OPTARG
+      ;;
+    d)
+      check_directives=$OPTARG 
+      ;;
+    n)
+      htaccess_names=$OPTARG
+      ;;
+    q)
+      verbosity=0
+      ;;
+    v)
+      verbosity=2
+      ;;
+    h)
+      usage
+      exit 0
+      ;;
+    \?)
+      echo "ERROR: Invalid option: -$OPTARG" >&2
+      usage
+      exit 2
+      ;;
+    :)
+      echo "ERROR: Option -$OPTARG requires an argument." >&2
+      usage
+      exit 2
+      ;;
+  esac
+done
+
+check_conf_file $system_conf_root
+
+exit $exit_code
+
+
+
--- a/apache2-README-access_compat.txt
+++ b/apache2-README-access_compat.txt
@ -0,0 +1,66 @@
+Dear System Administrator,
+
+with apache 2.4, some changes have been introduced that affect apache's 
+access control scheme.
+
+Previously, the directives "Allow", "Deny" and "Order" have determined
+if access to a resource has been granted with apache 2.2.
+Example (from /etc/apache2/httpd.conf, the main apache configuration file):
+<Directory />
+    Options None
+    AllowOverride None
+    Order deny,allow
+    Deny from all
+</Directory>
+
+With 2.4, these directives have been replaced by the "Require" directive,
+which is contained in the mod_authz_core module, and enhanced by the 
+mod_authz_host module.
+"Require" understands several regulative groups, such as 
+  env		access granted if an apache environment variable is set
+  method	access granted only for given HTTP methods (GET, POST, ...)
+  expr		access granted if the expression following expr evaluates to true
+  user		access granted if the named users can access the resource
+  group		analogous to user for groups
+  valid-user	access granted if a valid user requests it
+  ip		access granted if the client's IP address matches
+  all granted	unconditionally accepted/granted
+  all denied	unconditionally denied access
+
+By consequence, the set of 2.2 directives
+    Order deny,allow
+    Deny from all
+can be translated to the apache 2.4 Require directive
+    Require all denied
+
+
+The SUSE Linux Enterprise 12 package set for apache comes with a compatibility
+module called mod_access_compat, which, if loaded, causes apache to understand
+the 2.2 "Allow/Deny" directives. Unfortunately, the mixed usage of the
+2.2 "Allow/Deny" and the 2.4 "Require" directive will lead to either unexpected
+or inconclusive results. By consequence, one should decide if the 2.2 or the
+2.4 access control mimics shall be used.
+
+Fortunately, it is easy to switch from the new back to the old scheme:
+
+    a2enmod access_compat
+
+will enable the 2.2 scheme, 
+
+    a2enmod -d access_compat
+
+will disable the old scheme again, thereby enabling the new scheme.
+Of course, an apache restart is needed:
+
+    systemctl restart apache2
+
+The SUSE apache configuration framework can work with both the new and the
+old scheme, conditional if the access_compat apache module is loaded.
+
+Additional pointers about the access controls new in apache 2.4 and about
+the access_compat module can be found here:
+
+http://httpd.apache.org/docs/current/mod/mod_authz_core.html
+http://httpd.apache.org/docs/current/mod/mod_authz_host.html
+http://httpd.apache.org/docs/current/mod/mod_access_compat.html
+
--- a/apache2-default-server.conf
+++ b/apache2-default-server.conf
@ -25,7 +25,13 @@ DocumentRoot "/srv/www/htdocs"
 	#   Options FileInfo AuthConfig Limit
 	AllowOverride None
 	# Controls who can get stuff from this server.
-	Require all granted
+	<IfModule !mod_access_compat.c>
+    		Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+		Order allow,deny
+		Allow from all
+	</IfModule>
 </Directory>

 # Aliases: aliases can be added as needed (with no limit). The format is 
@ -45,7 +51,13 @@ Alias /icons/ "/usr/share/apache2/icons/"
 <Directory "/usr/share/apache2/icons">
 	Options Indexes MultiViews
 	AllowOverride None
-	Require all granted
+	<IfModule !mod_access_compat.c>
+		Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+		Order allow,deny
+		Allow from all
+	</IfModule>
 </Directory>

 # ScriptAlias: This controls which directories contain server scripts.
@ -63,7 +75,13 @@ ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
 <Directory "/srv/www/cgi-bin">
 	AllowOverride None
 	Options +ExecCGI -Includes
-	Require all granted
+	<IfModule !mod_access_compat.c>
+		Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+		Order allow,deny
+		Allow from all
+	</IfModule>
 </Directory>

 # UserDir: The name of the directory that is appended onto a user's home
--- a/apache2-default-vhost-ssl.conf
+++ b/apache2-default-vhost-ssl.conf
@ -198,9 +198,18 @@
 	#
 	#<limit GET POST>
 	#  <RequireAny>
-	#    Require valid-user
-	#    Require local
-	#    Require host .example.com
+        #    <IfModule !mod_access_compat.c>
+	#      Require valid-user
+	#      Require local
+	#      Require host .example.com
+	#    </IfModule>
+        #    <IfModule mod_access_compat.c>
+        #      Order Deny,Allow
+        #      Deny from All
+        #      Allow from 127.0.0.1
+        #      Allow from .example.com
+        #      Satisfy any
+        #    </IfModule>
 	#  </RequireAny>
 	#</limit>
    </Directory>
--- a/apache2-default-vhost.conf
+++ b/apache2-default-vhost.conf
@ -52,7 +52,13 @@
    <Directory "/srv/www/cgi-bin">
 	AllowOverride None
 	Options +ExecCGI -Includes
-	Require all granted
+	<IfModule !mod_access_compat.c>
+	    Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+	    Order allow,deny
+	    Allow from all
+	</IfModule>
    </Directory>


@ -108,8 +114,14 @@
 	#
 	# Controls who can get stuff from this server.
 	#
-	Require all granted
-    
+	<IfModule !mod_access_compat.c>
+	    Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+	    Order allow,deny
+	    Allow from all
+	</IfModule>
+
    </Directory>

    #
--- a/apache2-errors.conf
+++ b/apache2-errors.conf
@ -40,7 +40,13 @@ Alias /error/ "/usr/share/apache2/error/"
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
-        Require all granted
+        <IfModule !mod_access_compat.c>
+            Require all granted
+        </IfModule>
+        <IfModule mod_access_compat.c>
+            Order allow,deny
+            Allow from all
+        </IfModule>
        LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
        ForceLanguagePriority Prefer Fallback
    </Directory>
--- a/apache2-httpd.conf
+++ b/apache2-httpd.conf
@ -150,14 +150,26 @@ Include /etc/apache2/ssl-global.conf
 <Directory />
    Options None
    AllowOverride None
-    Require all denied
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order deny,allow
+        Deny from all
+    </IfModule>
 </Directory>

 # use .htaccess files for overriding,
 AccessFileName .htaccess
 # and never show them
 <Files ~ "^\.ht">
-    Require all denied
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order allow,deny
+        Deny from all
+    </IfModule>
 </Files>

 # List of resources to look for when the client requests a directory
--- a/apache2-manual.conf
+++ b/apache2-manual.conf
@ -9,7 +9,13 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/share/apache2/man
 <Directory "/usr/share/apache2/manual">
    Options Indexes
    AllowOverride None
-    Require all granted
+    <IfModule !mod_access_compat.c>
+        Require all granted
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order allow,deny
+        Allow from all
+    </IfModule>

    <Files *.html>
        SetHandler type-map
--- a/apache2-mod_info.conf
+++ b/apache2-mod_info.conf
@ -7,7 +7,14 @@
 <IfModule mod_info.c>
    <Location /server-info>
 	    SetHandler server-info
-	    Require local
+	    <IfModule !mod_access_compat.c>
+		    Require local
+	    </IfModule>
+	    <IfModule mod_access_compat.c>
+		    Order deny,allow
+		    Deny from all
+		    Allow from localhost
+	    </IfModule>
    </Location>
 </IfModule>

--- a/apache2-mod_status.conf
+++ b/apache2-mod_status.conf
@ -7,7 +7,14 @@
 <IfModule mod_status.c>
    <Location /server-status>
 	SetHandler server-status
-	Require local
+	<IfModule !mod_access_compat.c>
+	    Require local
+	</IfModule>
+	<IfModule mod_access_compat.c>
+	    Order deny,allow
+	    Deny from all
+	    Allow from localhost
+	</IfModule>
    </Location>
 </IfModule>

--- a/apache2-mod_userdir.conf
+++ b/apache2-mod_userdir.conf
@ -31,11 +31,23 @@
 		Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

 		<Limit GET POST OPTIONS PROPFIND>
-			Require all granted
+			<IfModule !mod_access_compat.c>
+				Require all granted
+			</IfModule>
+			<IfModule mod_access_compat.c>
+				Order allow,deny
+				Allow from all
+			</IfModule>
 		</Limit>

 		<LimitExcept GET POST OPTIONS PROPFIND>
-			Require all denied
+			<IfModule !mod_access_compat.c>
+				Require all denied
+			</IfModule>
+			<IfModule mod_access_compat.c>
+				Order deny,allow
+				Deny from all
+			</IfModule>
 		</LimitExcept>

 	</Directory>
--- a/apache2-vhost.template
+++ b/apache2-vhost.template
@ -60,7 +60,13 @@
    <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin">
 	AllowOverride None
 	Options +ExecCGI -Includes
-	Require all granted
+        <IfModule !mod_access_compat.c>
+      	    Require all granted
+        </IfModule>
+        <IfModule mod_access_compat.c>
+	    Order allow,deny
+	    Allow from all
+	</IfModule>
    </Directory>


@ -115,7 +121,13 @@
 	#
 	# Controls who can get stuff from this server.
 	#
-	Require all granted
+	<IfModule !mod_access_compat.c>
+	    Require all granted
+	</IfModule>
+	<IfModule mod_access_compat.c>
+	    Order allow,deny
+	    Allow from all
+	</IfModule>
    
    </Directory>

--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon May 25 10:27:13 UTC 2015 - pgajdos@suse.com
+
+- access_compat now built as shared and disabled by default
+- amend config to use also old syntax when access_compat is
+  loaded
+- added apache2-README-access_compat.txt
+- added apache-find-directive script
+- see [bnc#896083] and its duplicates
+
 -------------------------------------------------------------------
 Mon May 11 13:34:40 UTC 2015 - hguo@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@ -45,7 +45,7 @@
 %define httpdgroup www
 %if 0%{?suse_version} >= 1220
 %define runtimedir /run
-%define mods_static access_compat unixd systemd
+%define mods_static unixd systemd
 %else
 %define runtimedir	%{_localstatedir}/run
 %define mods_static access_compat unixd
@ -70,6 +70,7 @@ Source22:       apache2-README
 Source23:       apache2-README.QUICKSTART
 Source24:       apache2-README.default-vhost
 Source25:       gensslcert
+Source26:       apache2-README-access_compat.txt
 Source27:       %{name}.logrotate
 Source28:       permissions.%{name}
 Source29:       apache-ssl-stuff.tar.bz2
@ -110,6 +111,7 @@ Source141:      apache-20-22-upgrade
 Source142:      start_apache2
 Source143:      apache2-systemd-ask-pass
 Source144:      apache2.service
+Source145:      apache-find-directives
 Patch2:         httpd-2.1.3alpha-layout.dif
 Patch23:        httpd-2.4.10-apachectl.patch
 #Patch65:        httpd-2.0.49-log_server_status.dif
@ -319,6 +321,8 @@ b=$(basename %{SOURCE23})
 cp %{SOURCE23} ./${b##%{name}-}
 c=$(basename %{SOURCE24})
 cp %{SOURCE24} ./${c##%{name}-}
+d=$(basename %{SOURCE26})
+cp %{SOURCE26} ./${d##%{name}-}

 #
 # replace PLATFORM string that's seen in the "Server:" header
@ -516,6 +520,7 @@ install -m 755 support/logresolve.pl 		%{buildroot}/%{_sbindir}/logresolve.pl%{v
 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
 install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers}
+install -m 755 $RPM_SOURCE_DIR/apache-find-directives %{buildroot}/%{_bindir}
 #
 # xml stuff
 install -d %{buildroot}%{_datadir}/omc/svcinfo.d/
@ -811,6 +816,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_sbindir}/%{httpd}-prefork
 %dir %{_libdir}/%{name}-prefork
 # hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-prefork/mod_access_compat.so
 %{_libdir}/%{name}-prefork/mod_actions.so
 %{_libdir}/%{name}-prefork/mod_alias.so
 %{_libdir}/%{name}-prefork/mod_allowmethods.so
@ -929,6 +935,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_sbindir}/%{httpd}-worker
 %dir %{_libdir}/%{name}-worker
 # hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-worker/mod_access_compat.so
 %{_libdir}/%{name}-worker/mod_actions.so
 %{_libdir}/%{name}-worker/mod_alias.so
 %{_libdir}/%{name}-worker/mod_allowmethods.so
@ -1047,6 +1054,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_sbindir}/%{httpd}-event
 %dir %{_libdir}/%{name}-event
 # hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-event/mod_access_compat.so
 %{_libdir}/%{name}-event/mod_actions.so
 %{_libdir}/%{name}-event/mod_alias.so
 %{_libdir}/%{name}-event/mod_allowmethods.so
@ -1195,6 +1203,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_mandir}/man8/fcgistarter2.8.*
 %{_bindir}/check_forensic%{vers}
 %{_bindir}/dbmmanage%{vers}
+%{_bindir}/apache-find-directives
 %{_bindir}/gensslcert
 %{_bindir}/htdbm%{vers}
 %{_bindir}/htdigest%{vers}