From d7b41eca0273ce372da31afaad3fa4695af014fd3b038123a58a3b4b3cd31193 Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Tue, 26 May 2015 08:17:52 +0000 Subject: [PATCH] Accepting request 308624 from home:pgajdos - access_compat now built as shared and disabled by default - amend config to use also old syntax when access_compat is loaded - added apache2-README-access_compat.txt - added apache-find-directive script - see [bnc#896083] and its duplicates OBS-URL: https://build.opensuse.org/request/show/308624 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=446 --- apache-find-directives | 151 +++++++++++++++++++++++++++++++ apache2-README-access_compat.txt | 66 ++++++++++++++ apache2-default-server.conf | 24 ++++- apache2-default-vhost-ssl.conf | 15 ++- apache2-default-vhost.conf | 18 +++- apache2-errors.conf | 8 +- apache2-httpd.conf | 16 +++- apache2-manual.conf | 8 +- apache2-mod_info.conf | 9 +- apache2-mod_status.conf | 9 +- apache2-mod_userdir.conf | 16 +++- apache2-vhost.template | 16 +++- apache2.changes | 10 ++ apache2.spec | 11 ++- 14 files changed, 357 insertions(+), 20 deletions(-) create mode 100644 apache-find-directives create mode 100644 apache2-README-access_compat.txt diff --git a/apache-find-directives b/apache-find-directives new file mode 100644 index 0000000..326bdf6 --- /dev/null +++ b/apache-find-directives @@ -0,0 +1,151 @@ +#!/bin/bash + +exit_code=1 + +function usage +{ + echo "Check for directives in apache configuration (including" + echo "potentially reachable .htaccess files)" + echo "" + echo "Usage: $0 [options]" + echo "" + echo " options: " + echo " -s string system configuration root" + echo " [default: $system_conf_root]" + echo " -d string directives to search" + echo " [default: $check_directives]" + echo " -n string htaccess file name(s)" + echo " [default: $htaccess_names]" + echo " -q do not print where directive(s) was found" + echo " -v as -v plus trace and matched lines" + echo " -h this help" + echo "" + echo "Return Value: 0 at least one occurence found in apache config" + echo " 1 no occurence found" + echo " 2 wrong arguments" + echo "" + echo "Example: " + echo " $ $0 -s '/etc/apache2/default-server.conf' -n '.htaccess .htconfig' -d 'Require' -v" + echo " Checking /etc/apache2/default-server.conf .. FOUND" + echo " Checking /srv/www/htdocs/foo/.htaccess .. FOUND" + echo " Checking /etc/apache2/conf.d/gitweb.conf .. FOUND" + echo " $" +} + + +function find_directives_in_file +{ + file=$1 + + pattern=$(echo $check_directives | + sed 's:\([^ \t]\+\):\\b\1\\b:g' | + sed 's:\s\+:\\|:g') + + output=$(cat $file | sed 's:#.*::' | grep -i "$pattern") + if [ $? -eq 0 ]; then + [ $verbosity -ge 1 ] && echo " Checking $file .. FOUND" + [ $verbosity -ge 2 ] && echo " Output: [$output]" + exit_code=0 + else + [ $verbosity -ge 2 ] && echo " Checking $file .. NOT FOUND" + fi +} + +function check_conf_file +{ + conf_file=$1 + + [ $verbosity -ge 2 ] && echo "CONFIG FILE: $conf_file" + + find_directives_in_file $conf_file + + # check all directories with AllowOverride not None + # for .htaccess files + directories=$(grep -i ':\1:I' | + tr -d '"') + + find_names=$(echo $htaccess_names | + sed 's:^\s\+::' | + sed 's:\s\+$::' | + sed 's:\s\+: -o -name :g' | + sed 's:^:-name :') + + for dir in $directories; do + [ $verbosity -ge 2 ] && echo " Directory: $dir" + + allow_override=$(grep -i -Pzo "(?s)" $conf_file | + sed 's:#.*::'| + grep AllowOverride) + + [ $verbosity -ge 2 ] && echo " override: $allow_override" + + shopt -s nocasematch + if [[ ! $allow_override =~ allowoverride.*none ]]; then + for htfile in $(find $dir $find_names); do + find_directives_in_file $htfile + done + fi + shopt -u nocasematch + done + + # check all Include or IncludeOptional files recursively + include_files=$(grep '^\s*Include' $conf_file | + sed 's:#.*::' | + sed 's:Include[^ ]*\s\+::' | + tr '\n' ' ') + [ $verbosity -ge 2 ] && echo " Include Files: [$include_files]" + + for ifile in $include_files; do + if [ -f $ifile ]; then + check_conf_file $ifile + fi + done +} + +system_conf_root="/etc/apache2/httpd.conf" +check_directives="allow deny order satisfy" +htaccess_names=".htaccess" +verbosity=1 + +while getopts ":hs:d:n:vq" opt; do + case $opt in + s) + system_conf_root=$OPTARG + ;; + d) + check_directives=$OPTARG + ;; + n) + htaccess_names=$OPTARG + ;; + q) + verbosity=0 + ;; + v) + verbosity=2 + ;; + h) + usage + exit 0 + ;; + \?) + echo "ERROR: Invalid option: -$OPTARG" >&2 + usage + exit 2 + ;; + :) + echo "ERROR: Option -$OPTARG requires an argument." >&2 + usage + exit 2 + ;; + esac +done + +check_conf_file $system_conf_root + +exit $exit_code + + + diff --git a/apache2-README-access_compat.txt b/apache2-README-access_compat.txt new file mode 100644 index 0000000..7cf8a9c --- /dev/null +++ b/apache2-README-access_compat.txt @@ -0,0 +1,66 @@ +Dear System Administrator, + +with apache 2.4, some changes have been introduced that affect apache's +access control scheme. + +Previously, the directives "Allow", "Deny" and "Order" have determined +if access to a resource has been granted with apache 2.2. +Example (from /etc/apache2/httpd.conf, the main apache configuration file): + + Options None + AllowOverride None + Order deny,allow + Deny from all + + +With 2.4, these directives have been replaced by the "Require" directive, +which is contained in the mod_authz_core module, and enhanced by the +mod_authz_host module. +"Require" understands several regulative groups, such as + env access granted if an apache environment variable is set + method access granted only for given HTTP methods (GET, POST, ...) + expr access granted if the expression following expr evaluates to true + user access granted if the named users can access the resource + group analogous to user for groups + valid-user access granted if a valid user requests it + ip access granted if the client's IP address matches + all granted unconditionally accepted/granted + all denied unconditionally denied access + +By consequence, the set of 2.2 directives + Order deny,allow + Deny from all +can be translated to the apache 2.4 Require directive + Require all denied + + +The SUSE Linux Enterprise 12 package set for apache comes with a compatibility +module called mod_access_compat, which, if loaded, causes apache to understand +the 2.2 "Allow/Deny" directives. Unfortunately, the mixed usage of the +2.2 "Allow/Deny" and the 2.4 "Require" directive will lead to either unexpected +or inconclusive results. By consequence, one should decide if the 2.2 or the +2.4 access control mimics shall be used. + +Fortunately, it is easy to switch from the new back to the old scheme: + + a2enmod access_compat + +will enable the 2.2 scheme, + + a2enmod -d access_compat + +will disable the old scheme again, thereby enabling the new scheme. +Of course, an apache restart is needed: + + systemctl restart apache2 + +The SUSE apache configuration framework can work with both the new and the +old scheme, conditional if the access_compat apache module is loaded. + +Additional pointers about the access controls new in apache 2.4 and about +the access_compat module can be found here: + +http://httpd.apache.org/docs/current/mod/mod_authz_core.html +http://httpd.apache.org/docs/current/mod/mod_authz_host.html +http://httpd.apache.org/docs/current/mod/mod_access_compat.html + diff --git a/apache2-default-server.conf b/apache2-default-server.conf index 819283b..4534bd7 100644 --- a/apache2-default-server.conf +++ b/apache2-default-server.conf @@ -25,7 +25,13 @@ DocumentRoot "/srv/www/htdocs" # Options FileInfo AuthConfig Limit AllowOverride None # Controls who can get stuff from this server. - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + # Aliases: aliases can be added as needed (with no limit). The format is @@ -45,7 +51,13 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + # ScriptAlias: This controls which directories contain server scripts. @@ -63,7 +75,13 @@ ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" AllowOverride None Options +ExecCGI -Includes - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + # UserDir: The name of the directory that is appended onto a user's home diff --git a/apache2-default-vhost-ssl.conf b/apache2-default-vhost-ssl.conf index f5471d4..81c47e0 100644 --- a/apache2-default-vhost-ssl.conf +++ b/apache2-default-vhost-ssl.conf @@ -198,9 +198,18 @@ # # # - # Require valid-user - # Require local - # Require host .example.com + # + # Require valid-user + # Require local + # Require host .example.com + # + # + # Order Deny,Allow + # Deny from All + # Allow from 127.0.0.1 + # Allow from .example.com + # Satisfy any + # # # diff --git a/apache2-default-vhost.conf b/apache2-default-vhost.conf index 5bd2011..e42c98e 100644 --- a/apache2-default-vhost.conf +++ b/apache2-default-vhost.conf @@ -52,7 +52,13 @@ AllowOverride None Options +ExecCGI -Includes - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + @@ -108,8 +114,14 @@ # # Controls who can get stuff from this server. # - Require all granted - + + Require all granted + + + Order allow,deny + Allow from all + + # diff --git a/apache2-errors.conf b/apache2-errors.conf index 5967e84..63f288e 100644 --- a/apache2-errors.conf +++ b/apache2-errors.conf @@ -40,7 +40,13 @@ Alias /error/ "/usr/share/apache2/error/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/apache2-httpd.conf b/apache2-httpd.conf index aa747a6..202150f 100644 --- a/apache2-httpd.conf +++ b/apache2-httpd.conf @@ -150,14 +150,26 @@ Include /etc/apache2/ssl-global.conf Options None AllowOverride None - Require all denied + + Require all denied + + + Order deny,allow + Deny from all + # use .htaccess files for overriding, AccessFileName .htaccess # and never show them - Require all denied + + Require all denied + + + Order allow,deny + Deny from all + # List of resources to look for when the client requests a directory diff --git a/apache2-manual.conf b/apache2-manual.conf index 4984f54..01a9d64 100644 --- a/apache2-manual.conf +++ b/apache2-manual.conf @@ -9,7 +9,13 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/share/apache2/man Options Indexes AllowOverride None - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + SetHandler type-map diff --git a/apache2-mod_info.conf b/apache2-mod_info.conf index 6706ebd..2928d43 100644 --- a/apache2-mod_info.conf +++ b/apache2-mod_info.conf @@ -7,7 +7,14 @@ SetHandler server-info - Require local + + Require local + + + Order deny,allow + Deny from all + Allow from localhost + diff --git a/apache2-mod_status.conf b/apache2-mod_status.conf index 60bd16f..4f489b7 100644 --- a/apache2-mod_status.conf +++ b/apache2-mod_status.conf @@ -7,7 +7,14 @@ SetHandler server-status - Require local + + Require local + + + Order deny,allow + Deny from all + Allow from localhost + diff --git a/apache2-mod_userdir.conf b/apache2-mod_userdir.conf index 21f8d90..3b5ef85 100644 --- a/apache2-mod_userdir.conf +++ b/apache2-mod_userdir.conf @@ -31,11 +31,23 @@ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + - Require all denied + + Require all denied + + + Order deny,allow + Deny from all + diff --git a/apache2-vhost.template b/apache2-vhost.template index 388c7c9..6275aa9 100644 --- a/apache2-vhost.template +++ b/apache2-vhost.template @@ -60,7 +60,13 @@ AllowOverride None Options +ExecCGI -Includes - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + @@ -115,7 +121,13 @@ # # Controls who can get stuff from this server. # - Require all granted + + Require all granted + + + Order allow,deny + Allow from all + diff --git a/apache2.changes b/apache2.changes index ca43ae5..5844b2e 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon May 25 10:27:13 UTC 2015 - pgajdos@suse.com + +- access_compat now built as shared and disabled by default +- amend config to use also old syntax when access_compat is + loaded +- added apache2-README-access_compat.txt +- added apache-find-directive script +- see [bnc#896083] and its duplicates + ------------------------------------------------------------------- Mon May 11 13:34:40 UTC 2015 - hguo@suse.com diff --git a/apache2.spec b/apache2.spec index ecc7eb2..57e26e5 100644 --- a/apache2.spec +++ b/apache2.spec @@ -45,7 +45,7 @@ %define httpdgroup www %if 0%{?suse_version} >= 1220 %define runtimedir /run -%define mods_static access_compat unixd systemd +%define mods_static unixd systemd %else %define runtimedir %{_localstatedir}/run %define mods_static access_compat unixd @@ -70,6 +70,7 @@ Source22: apache2-README Source23: apache2-README.QUICKSTART Source24: apache2-README.default-vhost Source25: gensslcert +Source26: apache2-README-access_compat.txt Source27: %{name}.logrotate Source28: permissions.%{name} Source29: apache-ssl-stuff.tar.bz2 @@ -110,6 +111,7 @@ Source141: apache-20-22-upgrade Source142: start_apache2 Source143: apache2-systemd-ask-pass Source144: apache2.service +Source145: apache-find-directives Patch2: httpd-2.1.3alpha-layout.dif Patch23: httpd-2.4.10-apachectl.patch #Patch65: httpd-2.0.49-log_server_status.dif @@ -319,6 +321,8 @@ b=$(basename %{SOURCE23}) cp %{SOURCE23} ./${b##%{name}-} c=$(basename %{SOURCE24}) cp %{SOURCE24} ./${c##%{name}-} +d=$(basename %{SOURCE26}) +cp %{SOURCE26} ./${d##%{name}-} # # replace PLATFORM string that's seen in the "Server:" header @@ -516,6 +520,7 @@ install -m 755 support/logresolve.pl %{buildroot}/%{_sbindir}/logresolve.pl%{v mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers} +install -m 755 $RPM_SOURCE_DIR/apache-find-directives %{buildroot}/%{_bindir} # # xml stuff install -d %{buildroot}%{_datadir}/omc/svcinfo.d/ @@ -811,6 +816,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_sbindir}/%{httpd}-prefork %dir %{_libdir}/%{name}-prefork # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-prefork/mod_access_compat.so %{_libdir}/%{name}-prefork/mod_actions.so %{_libdir}/%{name}-prefork/mod_alias.so %{_libdir}/%{name}-prefork/mod_allowmethods.so @@ -929,6 +935,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_sbindir}/%{httpd}-worker %dir %{_libdir}/%{name}-worker # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-worker/mod_access_compat.so %{_libdir}/%{name}-worker/mod_actions.so %{_libdir}/%{name}-worker/mod_alias.so %{_libdir}/%{name}-worker/mod_allowmethods.so @@ -1047,6 +1054,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_sbindir}/%{httpd}-event %dir %{_libdir}/%{name}-event # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-event/mod_access_compat.so %{_libdir}/%{name}-event/mod_actions.so %{_libdir}/%{name}-event/mod_alias.so %{_libdir}/%{name}-event/mod_allowmethods.so @@ -1195,6 +1203,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_mandir}/man8/fcgistarter2.8.* %{_bindir}/check_forensic%{vers} %{_bindir}/dbmmanage%{vers} +%{_bindir}/apache-find-directives %{_bindir}/gensslcert %{_bindir}/htdbm%{vers} %{_bindir}/htdigest%{vers}