rpm/apache2
SHA256
1
0
Fork 0
forked from pool/apache2
Code Pull Requests Activity

Accepting request 308624 from home:pgajdos

Browse Source 
- access_compat now built as shared and disabled by default
- amend config to use also old syntax when access_compat is
  loaded
- added apache2-README-access_compat.txt
- added apache-find-directive script
- see [bnc#896083] and its duplicates

OBS-URL: https://build.opensuse.org/request/show/308624
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=446
This commit is contained in:
Kristyna Streitova 2015-05-26 08:17:52 +00:00 committed by Git OBS Bridge
parent 6f49159b79
commit d7b41eca02
14 changed files with 357 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
apache-find-directives Normal file
View File

@ -0,0 +1,151 @@
#!/bin/bash
exit_code=1
function usage
{
echo "Check for directives in apache configuration (including"
echo "potentially reachable .htaccess files)"
echo ""
echo "Usage: $0 [options]"
echo ""
echo " options: "
echo " -s string system configuration root"
echo " [default: $system_conf_root]"
echo " -d string directives to search"
echo " [default: $check_directives]"
echo " -n string htaccess file name(s)"
echo " [default: $htaccess_names]"
echo " -q do not print where directive(s) was found"
echo " -v as -v plus trace and matched lines"
echo " -h this help"
echo ""
echo "Return Value: 0 at least one occurence found in apache config"
echo " 1 no occurence found"
echo " 2 wrong arguments"
echo ""
echo "Example: "
echo " $ $0 -s '/etc/apache2/default-server.conf' -n '.htaccess .htconfig' -d 'Require' -v"
echo " Checking /etc/apache2/default-server.conf .. FOUND"
echo " Checking /srv/www/htdocs/foo/.htaccess .. FOUND"
echo " Checking /etc/apache2/conf.d/gitweb.conf .. FOUND"
echo " $"
}
function find_directives_in_file
{
file=$1
pattern=$(echo $check_directives |
sed 's:\([^ \t]\+\):\\b\1\\b:g' |
sed 's:\s\+:\\|:g')
output=$(cat $file | sed 's:#.*::' | grep -i "$pattern")
if [ $? -eq 0 ]; then
[ $verbosity -ge 1 ] && echo " Checking $file .. FOUND"
[ $verbosity -ge 2 ] && echo " Output: [$output]"
exit_code=0
else
[ $verbosity -ge 2 ] && echo " Checking $file .. NOT FOUND"
fi
}
function check_conf_file
{
conf_file=$1
[ $verbosity -ge 2 ] && echo "CONFIG FILE: $conf_file"
find_directives_in_file $conf_file
# check all directories with AllowOverride not None
# for .htaccess files
directories=$(grep -i '<directory' $conf_file |
sed 's:#.*::' |
sed 's:.*<directory\s*\([^ \t]*\)\s*>:\1:I' |
tr -d '"')
find_names=$(echo $htaccess_names |
sed 's:^\s\+::' |
sed 's:\s\+$::' |
sed 's:\s\+: -o -name :g' |
sed 's:^:-name :')
for dir in $directories; do
[ $verbosity -ge 2 ] && echo " Directory: $dir"
allow_override=$(grep -i -Pzo "(?s)<directory[\s\"]*$dir.*?</directory>" $conf_file |
sed 's:#.*::'|
grep AllowOverride)
[ $verbosity -ge 2 ] && echo " override: $allow_override"
shopt -s nocasematch
if [[ ! $allow_override =~ allowoverride.*none ]]; then
for htfile in $(find $dir $find_names); do
find_directives_in_file $htfile
done
fi
shopt -u nocasematch
done
# check all Include or IncludeOptional files recursively
include_files=$(grep '^\s*Include' $conf_file |
sed 's:#.*::' |
sed 's:Include[^ ]*\s\+::' |
tr '\n' ' ')
[ $verbosity -ge 2 ] && echo " Include Files: [$include_files]"
for ifile in $include_files; do
if [ -f $ifile ]; then
check_conf_file $ifile
fi
done
}
system_conf_root="/etc/apache2/httpd.conf"
check_directives="allow deny order satisfy"
htaccess_names=".htaccess"
verbosity=1
while getopts ":hs:d:n:vq" opt; do
case $opt in
s)
system_conf_root=$OPTARG
;;
d)
check_directives=$OPTARG
;;
n)
htaccess_names=$OPTARG
;;
q)
verbosity=0
;;
v)
verbosity=2
;;
h)
usage
exit 0
;;
\?)
echo "ERROR: Invalid option: -$OPTARG" >&2
usage
exit 2
;;
:)
echo "ERROR: Option -$OPTARG requires an argument." >&2
usage
exit 2
;;
esac
done
check_conf_file $system_conf_root
exit $exit_code

66
apache2-README-access_compat.txt Normal file
View File

@ -0,0 +1,66 @@
Dear System Administrator,
with apache 2.4, some changes have been introduced that affect apache's
access control scheme.
Previously, the directives "Allow", "Deny" and "Order" have determined
if access to a resource has been granted with apache 2.2.
Example (from /etc/apache2/httpd.conf, the main apache configuration file):
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
With 2.4, these directives have been replaced by the "Require" directive,
which is contained in the mod_authz_core module, and enhanced by the
mod_authz_host module.
"Require" understands several regulative groups, such as
env access granted if an apache environment variable is set
method access granted only for given HTTP methods (GET, POST, ...)
expr access granted if the expression following expr evaluates to true
user access granted if the named users can access the resource
group analogous to user for groups
valid-user access granted if a valid user requests it
ip access granted if the client's IP address matches
all granted unconditionally accepted/granted
all denied unconditionally denied access
By consequence, the set of 2.2 directives
Order deny,allow
Deny from all
can be translated to the apache 2.4 Require directive
Require all denied
The SUSE Linux Enterprise 12 package set for apache comes with a compatibility
module called mod_access_compat, which, if loaded, causes apache to understand
the 2.2 "Allow/Deny" directives. Unfortunately, the mixed usage of the
2.2 "Allow/Deny" and the 2.4 "Require" directive will lead to either unexpected
or inconclusive results. By consequence, one should decide if the 2.2 or the
2.4 access control mimics shall be used.
Fortunately, it is easy to switch from the new back to the old scheme:
a2enmod access_compat
will enable the 2.2 scheme,
a2enmod -d access_compat
will disable the old scheme again, thereby enabling the new scheme.
Of course, an apache restart is needed:
systemctl restart apache2
The SUSE apache configuration framework can work with both the new and the
old scheme, conditional if the access_compat apache module is loaded.
Additional pointers about the access controls new in apache 2.4 and about
the access_compat module can be found here:
http://httpd.apache.org/docs/current/mod/mod_authz_core.html
http://httpd.apache.org/docs/current/mod/mod_authz_host.html
http://httpd.apache.org/docs/current/mod/mod_access_compat.html

18
apache2-default-server.conf
View File

@ -25,7 +25,13 @@ DocumentRoot "/srv/www/htdocs"
# Options FileInfo AuthConfig Limit # Options FileInfo AuthConfig Limit
AllowOverride None AllowOverride None
# Controls who can get stuff from this server. # Controls who can get stuff from this server.
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>
# Aliases: aliases can be added as needed (with no limit). The format is # Aliases: aliases can be added as needed (with no limit). The format is
@ -45,7 +51,13 @@ Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons"> <Directory "/usr/share/apache2/icons">
Options Indexes MultiViews Options Indexes MultiViews
AllowOverride None AllowOverride None
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>
# ScriptAlias: This controls which directories contain server scripts. # ScriptAlias: This controls which directories contain server scripts.
@ -63,7 +75,13 @@ ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
<Directory "/srv/www/cgi-bin"> <Directory "/srv/www/cgi-bin">
AllowOverride None AllowOverride None
Options +ExecCGI -Includes Options +ExecCGI -Includes
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>
# UserDir: The name of the directory that is appended onto a user's home # UserDir: The name of the directory that is appended onto a user's home

9
apache2-default-vhost-ssl.conf
View File

@ -198,9 +198,18 @@
# #
#<limit GET POST> #<limit GET POST>
# <RequireAny> # <RequireAny>
# <IfModule !mod_access_compat.c>
# Require valid-user # Require valid-user
# Require local # Require local
# Require host .example.com # Require host .example.com
# </IfModule>
# <IfModule mod_access_compat.c>
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from .example.com
# Satisfy any
# </IfModule>
# </RequireAny> # </RequireAny>
#</limit> #</limit>
</Directory> </Directory>

12
apache2-default-vhost.conf
View File

@ -52,7 +52,13 @@
<Directory "/srv/www/cgi-bin"> <Directory "/srv/www/cgi-bin">
AllowOverride None AllowOverride None
Options +ExecCGI -Includes Options +ExecCGI -Includes
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>
@ -108,7 +114,13 @@
# #
# Controls who can get stuff from this server. # Controls who can get stuff from this server.
# #
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>

6
apache2-errors.conf
View File

@ -40,7 +40,13 @@ Alias /error/ "/usr/share/apache2/error/"
Options IncludesNoExec Options IncludesNoExec
AddOutputFilter Includes html AddOutputFilter Includes html
AddHandler type-map var AddHandler type-map var
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback ForceLanguagePriority Prefer Fallback
</Directory> </Directory>

12
apache2-httpd.conf
View File

@ -150,14 +150,26 @@ Include /etc/apache2/ssl-global.conf
<Directory /> <Directory />
Options None Options None
AllowOverride None AllowOverride None
<IfModule !mod_access_compat.c>
Require all denied Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
</IfModule>
</Directory> </Directory>
# use .htaccess files for overriding, # use .htaccess files for overriding,
AccessFileName .htaccess AccessFileName .htaccess
# and never show them # and never show them
<Files ~ "^\.ht"> <Files ~ "^\.ht">
<IfModule !mod_access_compat.c>
Require all denied Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Deny from all
</IfModule>
</Files> </Files>
# List of resources to look for when the client requests a directory # List of resources to look for when the client requests a directory

6
apache2-manual.conf
View File

@ -9,7 +9,13 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/share/apache2/man
<Directory "/usr/share/apache2/manual"> <Directory "/usr/share/apache2/manual">
Options Indexes Options Indexes
AllowOverride None AllowOverride None
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
<Files *.html> <Files *.html>
SetHandler type-map SetHandler type-map

7
apache2-mod_info.conf
View File

@ -7,7 +7,14 @@
<IfModule mod_info.c> <IfModule mod_info.c>
<Location /server-info> <Location /server-info>
SetHandler server-info SetHandler server-info
<IfModule !mod_access_compat.c>
Require local Require local
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
Allow from localhost
</IfModule>
</Location> </Location>
</IfModule> </IfModule>

7
apache2-mod_status.conf
View File

@ -7,7 +7,14 @@
<IfModule mod_status.c> <IfModule mod_status.c>
<Location /server-status> <Location /server-status>
SetHandler server-status SetHandler server-status
<IfModule !mod_access_compat.c>
Require local Require local
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
Allow from localhost
</IfModule>
</Location> </Location>
</IfModule> </IfModule>

12
apache2-mod_userdir.conf
View File

@ -31,11 +31,23 @@
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND> <Limit GET POST OPTIONS PROPFIND>
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Limit> </Limit>
<LimitExcept GET POST OPTIONS PROPFIND> <LimitExcept GET POST OPTIONS PROPFIND>
<IfModule !mod_access_compat.c>
Require all denied Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
</IfModule>
</LimitExcept> </LimitExcept>
</Directory> </Directory>

12
apache2-vhost.template
View File

@ -60,7 +60,13 @@
<Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin"> <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin">
AllowOverride None AllowOverride None
Options +ExecCGI -Includes Options +ExecCGI -Includes
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>
@ -115,7 +121,13 @@
# #
# Controls who can get stuff from this server. # Controls who can get stuff from this server.
# #
<IfModule !mod_access_compat.c>
Require all granted Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> </Directory>

10
apache2.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon May 25 10:27:13 UTC 2015 - pgajdos@suse.com
- access_compat now built as shared and disabled by default
- amend config to use also old syntax when access_compat is
loaded
- added apache2-README-access_compat.txt
- added apache-find-directive script
- see [bnc#896083] and its duplicates
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 11 13:34:40 UTC 2015 - hguo@suse.com Mon May 11 13:34:40 UTC 2015 - hguo@suse.com

11
apache2.spec
View File

@ -45,7 +45,7 @@
%define httpdgroup www %define httpdgroup www
%if 0%{?suse_version} >= 1220 %if 0%{?suse_version} >= 1220
%define runtimedir /run %define runtimedir /run
%define mods_static access_compat unixd systemd %define mods_static unixd systemd
%else %else
%define runtimedir %{_localstatedir}/run %define runtimedir %{_localstatedir}/run
%define mods_static access_compat unixd %define mods_static access_compat unixd
@ -70,6 +70,7 @@ Source22: apache2-README
Source23: apache2-README.QUICKSTART Source23: apache2-README.QUICKSTART
Source24: apache2-README.default-vhost Source24: apache2-README.default-vhost
Source25: gensslcert Source25: gensslcert
Source26: apache2-README-access_compat.txt
Source27: %{name}.logrotate Source27: %{name}.logrotate
Source28: permissions.%{name} Source28: permissions.%{name}
Source29: apache-ssl-stuff.tar.bz2 Source29: apache-ssl-stuff.tar.bz2
@ -110,6 +111,7 @@ Source141: apache-20-22-upgrade
Source142: start_apache2 Source142: start_apache2
Source143: apache2-systemd-ask-pass Source143: apache2-systemd-ask-pass
Source144: apache2.service Source144: apache2.service
Source145: apache-find-directives
Patch2: httpd-2.1.3alpha-layout.dif Patch2: httpd-2.1.3alpha-layout.dif
Patch23: httpd-2.4.10-apachectl.patch Patch23: httpd-2.4.10-apachectl.patch
#Patch65: httpd-2.0.49-log_server_status.dif #Patch65: httpd-2.0.49-log_server_status.dif
@ -319,6 +321,8 @@ b=$(basename %{SOURCE23})
cp %{SOURCE23} ./${b##%{name}-} cp %{SOURCE23} ./${b##%{name}-}
c=$(basename %{SOURCE24}) c=$(basename %{SOURCE24})
cp %{SOURCE24} ./${c##%{name}-} cp %{SOURCE24} ./${c##%{name}-}
d=$(basename %{SOURCE26})
cp %{SOURCE26} ./${d##%{name}-}
# #
# replace PLATFORM string that's seen in the "Server:" header # replace PLATFORM string that's seen in the "Server:" header
@ -516,6 +520,7 @@ install -m 755 support/logresolve.pl %{buildroot}/%{_sbindir}/logresolve.pl%{v
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers} install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers}
install -m 755 $RPM_SOURCE_DIR/apache-find-directives %{buildroot}/%{_bindir}
# #
# xml stuff # xml stuff
install -d %{buildroot}%{_datadir}/omc/svcinfo.d/ install -d %{buildroot}%{_datadir}/omc/svcinfo.d/
@ -811,6 +816,7 @@ mv %{buildroot}/%{sysconfdir}/original .
%{_sbindir}/%{httpd}-prefork %{_sbindir}/%{httpd}-prefork
%dir %{_libdir}/%{name}-prefork %dir %{_libdir}/%{name}-prefork
# hardcoded list so we do not lose mods by accident # hardcoded list so we do not lose mods by accident
%{_libdir}/%{name}-prefork/mod_access_compat.so
%{_libdir}/%{name}-prefork/mod_actions.so %{_libdir}/%{name}-prefork/mod_actions.so
%{_libdir}/%{name}-prefork/mod_alias.so %{_libdir}/%{name}-prefork/mod_alias.so
%{_libdir}/%{name}-prefork/mod_allowmethods.so %{_libdir}/%{name}-prefork/mod_allowmethods.so
@ -929,6 +935,7 @@ mv %{buildroot}/%{sysconfdir}/original .
%{_sbindir}/%{httpd}-worker %{_sbindir}/%{httpd}-worker
%dir %{_libdir}/%{name}-worker %dir %{_libdir}/%{name}-worker
# hardcoded list so we do not lose mods by accident # hardcoded list so we do not lose mods by accident
%{_libdir}/%{name}-worker/mod_access_compat.so
%{_libdir}/%{name}-worker/mod_actions.so %{_libdir}/%{name}-worker/mod_actions.so
%{_libdir}/%{name}-worker/mod_alias.so %{_libdir}/%{name}-worker/mod_alias.so
%{_libdir}/%{name}-worker/mod_allowmethods.so %{_libdir}/%{name}-worker/mod_allowmethods.so
@ -1047,6 +1054,7 @@ mv %{buildroot}/%{sysconfdir}/original .
%{_sbindir}/%{httpd}-event %{_sbindir}/%{httpd}-event
%dir %{_libdir}/%{name}-event %dir %{_libdir}/%{name}-event
# hardcoded list so we do not lose mods by accident # hardcoded list so we do not lose mods by accident
%{_libdir}/%{name}-event/mod_access_compat.so
%{_libdir}/%{name}-event/mod_actions.so %{_libdir}/%{name}-event/mod_actions.so
%{_libdir}/%{name}-event/mod_alias.so %{_libdir}/%{name}-event/mod_alias.so
%{_libdir}/%{name}-event/mod_allowmethods.so %{_libdir}/%{name}-event/mod_allowmethods.so
@ -1195,6 +1203,7 @@ mv %{buildroot}/%{sysconfdir}/original .
%{_mandir}/man8/fcgistarter2.8.* %{_mandir}/man8/fcgistarter2.8.*
%{_bindir}/check_forensic%{vers} %{_bindir}/check_forensic%{vers}
%{_bindir}/dbmmanage%{vers} %{_bindir}/dbmmanage%{vers}
%{_bindir}/apache-find-directives
%{_bindir}/gensslcert %{_bindir}/gensslcert
%{_bindir}/htdbm%{vers} %{_bindir}/htdbm%{vers}
%{_bindir}/htdigest%{vers} %{_bindir}/htdigest%{vers}