Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2015-05-28 09:48:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2015-05-16 20:07:24.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2015-05-28 09:48:36.000000000 +0200 @@ -1,0 +2,10 @@ +Mon May 25 10:27:13 UTC 2015 - [email protected] + +- access_compat now built as shared and disabled by default +- amend config to use also old syntax when access_compat is + loaded +- added apache2-README-access_compat.txt +- added apache-find-directive script +- see [bnc#896083] and its duplicates + +------------------------------------------------------------------- New: ---- apache-find-directives apache2-README-access_compat.txt ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -45,7 +45,7 @@ %define httpdgroup www %if 0%{?suse_version} >= 1220 %define runtimedir /run -%define mods_static access_compat unixd systemd +%define mods_static unixd systemd %else %define runtimedir %{_localstatedir}/run %define mods_static access_compat unixd @@ -70,6 +70,7 @@ Source23: apache2-README.QUICKSTART Source24: apache2-README.default-vhost Source25: gensslcert +Source26: apache2-README-access_compat.txt Source27: %{name}.logrotate Source28: permissions.%{name} Source29: apache-ssl-stuff.tar.bz2 @@ -110,6 +111,7 @@ Source142: start_apache2 Source143: apache2-systemd-ask-pass Source144: apache2.service +Source145: apache-find-directives Patch2: httpd-2.1.3alpha-layout.dif Patch23: httpd-2.4.10-apachectl.patch #Patch65: httpd-2.0.49-log_server_status.dif @@ -319,6 +321,8 @@ cp %{SOURCE23} ./${b##%{name}-} c=$(basename %{SOURCE24}) cp %{SOURCE24} ./${c##%{name}-} +d=$(basename %{SOURCE26}) +cp %{SOURCE26} ./${d##%{name}-} # # replace PLATFORM string that's seen in the "Server:" header @@ -516,6 +520,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers} +install -m 755 $RPM_SOURCE_DIR/apache-find-directives %{buildroot}/%{_bindir} # # xml stuff install -d %{buildroot}%{_datadir}/omc/svcinfo.d/ @@ -811,6 +816,7 @@ %{_sbindir}/%{httpd}-prefork %dir %{_libdir}/%{name}-prefork # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-prefork/mod_access_compat.so %{_libdir}/%{name}-prefork/mod_actions.so %{_libdir}/%{name}-prefork/mod_alias.so %{_libdir}/%{name}-prefork/mod_allowmethods.so @@ -929,6 +935,7 @@ %{_sbindir}/%{httpd}-worker %dir %{_libdir}/%{name}-worker # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-worker/mod_access_compat.so %{_libdir}/%{name}-worker/mod_actions.so %{_libdir}/%{name}-worker/mod_alias.so %{_libdir}/%{name}-worker/mod_allowmethods.so @@ -1047,6 +1054,7 @@ %{_sbindir}/%{httpd}-event %dir %{_libdir}/%{name}-event # hardcoded list so we do not lose mods by accident +%{_libdir}/%{name}-event/mod_access_compat.so %{_libdir}/%{name}-event/mod_actions.so %{_libdir}/%{name}-event/mod_alias.so %{_libdir}/%{name}-event/mod_allowmethods.so @@ -1195,6 +1203,7 @@ %{_mandir}/man8/fcgistarter2.8.* %{_bindir}/check_forensic%{vers} %{_bindir}/dbmmanage%{vers} +%{_bindir}/apache-find-directives %{_bindir}/gensslcert %{_bindir}/htdbm%{vers} %{_bindir}/htdigest%{vers} ++++++ apache-find-directives ++++++ #!/bin/bash exit_code=1 function usage { echo "Check for directives in apache configuration (including" echo "potentially reachable .htaccess files)" echo "" echo "Usage: $0 [options]" echo "" echo " options: " echo " -s string system configuration root" echo " [default: $system_conf_root]" echo " -d string directives to search" echo " [default: $check_directives]" echo " -n string htaccess file name(s)" echo " [default: $htaccess_names]" echo " -q do not print where directive(s) was found" echo " -v as -v plus trace and matched lines" echo " -h this help" echo "" echo "Return Value: 0 at least one occurence found in apache config" echo " 1 no occurence found" echo " 2 wrong arguments" echo "" echo "Example: " echo " $ $0 -s '/etc/apache2/default-server.conf' -n '.htaccess .htconfig' -d 'Require' -v" echo " Checking /etc/apache2/default-server.conf .. FOUND" echo " Checking /srv/www/htdocs/foo/.htaccess .. FOUND" echo " Checking /etc/apache2/conf.d/gitweb.conf .. FOUND" echo " $" } function find_directives_in_file { file=$1 pattern=$(echo $check_directives | sed 's:\([^ \t]\+\):\\b\1\\b:g' | sed 's:\s\+:\\|:g') output=$(cat $file | sed 's:#.*::' | grep -i "$pattern") if [ $? -eq 0 ]; then [ $verbosity -ge 1 ] && echo " Checking $file .. FOUND" [ $verbosity -ge 2 ] && echo " Output: [$output]" exit_code=0 else [ $verbosity -ge 2 ] && echo " Checking $file .. NOT FOUND" fi } function check_conf_file { conf_file=$1 [ $verbosity -ge 2 ] && echo "CONFIG FILE: $conf_file" find_directives_in_file $conf_file # check all directories with AllowOverride not None # for .htaccess files directories=$(grep -i '<directory' $conf_file | sed 's:#.*::' | sed 's:.*<directory\s*\([^ \t]*\)\s*>:\1:I' | tr -d '"') find_names=$(echo $htaccess_names | sed 's:^\s\+::' | sed 's:\s\+$::' | sed 's:\s\+: -o -name :g' | sed 's:^:-name :') for dir in $directories; do [ $verbosity -ge 2 ] && echo " Directory: $dir" allow_override=$(grep -i -Pzo "(?s)<directory[\s\"]*$dir.*?</directory>" $conf_file | sed 's:#.*::'| grep AllowOverride) [ $verbosity -ge 2 ] && echo " override: $allow_override" shopt -s nocasematch if [[ ! $allow_override =~ allowoverride.*none ]]; then for htfile in $(find $dir $find_names); do find_directives_in_file $htfile done fi shopt -u nocasematch done # check all Include or IncludeOptional files recursively include_files=$(grep '^\s*Include' $conf_file | sed 's:#.*::' | sed 's:Include[^ ]*\s\+::' | tr '\n' ' ') [ $verbosity -ge 2 ] && echo " Include Files: [$include_files]" for ifile in $include_files; do if [ -f $ifile ]; then check_conf_file $ifile fi done } system_conf_root="/etc/apache2/httpd.conf" check_directives="allow deny order satisfy" htaccess_names=".htaccess" verbosity=1 while getopts ":hs:d:n:vq" opt; do case $opt in s) system_conf_root=$OPTARG ;; d) check_directives=$OPTARG ;; n) htaccess_names=$OPTARG ;; q) verbosity=0 ;; v) verbosity=2 ;; h) usage exit 0 ;; \?) echo "ERROR: Invalid option: -$OPTARG" >&2 usage exit 2 ;; :) echo "ERROR: Option -$OPTARG requires an argument." >&2 usage exit 2 ;; esac done check_conf_file $system_conf_root exit $exit_code ++++++ apache2-README-access_compat.txt ++++++ Dear System Administrator, with apache 2.4, some changes have been introduced that affect apache's access control scheme. Previously, the directives "Allow", "Deny" and "Order" have determined if access to a resource has been granted with apache 2.2. Example (from /etc/apache2/httpd.conf, the main apache configuration file): <Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory> With 2.4, these directives have been replaced by the "Require" directive, which is contained in the mod_authz_core module, and enhanced by the mod_authz_host module. "Require" understands several regulative groups, such as env access granted if an apache environment variable is set method access granted only for given HTTP methods (GET, POST, ...) expr access granted if the expression following expr evaluates to true user access granted if the named users can access the resource group analogous to user for groups valid-user access granted if a valid user requests it ip access granted if the client's IP address matches all granted unconditionally accepted/granted all denied unconditionally denied access By consequence, the set of 2.2 directives Order deny,allow Deny from all can be translated to the apache 2.4 Require directive Require all denied The SUSE Linux Enterprise 12 package set for apache comes with a compatibility module called mod_access_compat, which, if loaded, causes apache to understand the 2.2 "Allow/Deny" directives. Unfortunately, the mixed usage of the 2.2 "Allow/Deny" and the 2.4 "Require" directive will lead to either unexpected or inconclusive results. By consequence, one should decide if the 2.2 or the 2.4 access control mimics shall be used. Fortunately, it is easy to switch from the new back to the old scheme: a2enmod access_compat will enable the 2.2 scheme, a2enmod -d access_compat will disable the old scheme again, thereby enabling the new scheme. Of course, an apache restart is needed: systemctl restart apache2 The SUSE apache configuration framework can work with both the new and the old scheme, conditional if the access_compat apache module is loaded. Additional pointers about the access controls new in apache 2.4 and about the access_compat module can be found here: http://httpd.apache.org/docs/current/mod/mod_authz_core.html http://httpd.apache.org/docs/current/mod/mod_authz_host.html http://httpd.apache.org/docs/current/mod/mod_access_compat.html ++++++ apache2-default-server.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -25,7 +25,13 @@ # Options FileInfo AuthConfig Limit AllowOverride None # Controls who can get stuff from this server. - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory> # Aliases: aliases can be added as needed (with no limit). The format is @@ -45,7 +51,13 @@ <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory> # ScriptAlias: This controls which directories contain server scripts. @@ -63,7 +75,13 @@ <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory> # UserDir: The name of the directory that is appended onto a user's home ++++++ apache2-default-vhost-ssl.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -198,9 +198,18 @@ # #<limit GET POST> # <RequireAny> - # Require valid-user - # Require local - # Require host .example.com + # <IfModule !mod_access_compat.c> + # Require valid-user + # Require local + # Require host .example.com + # </IfModule> + # <IfModule mod_access_compat.c> + # Order Deny,Allow + # Deny from All + # Allow from 127.0.0.1 + # Allow from .example.com + # Satisfy any + # </IfModule> # </RequireAny> #</limit> </Directory> ++++++ apache2-default-vhost.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -52,7 +52,13 @@ <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory> @@ -108,8 +114,14 @@ # # Controls who can get stuff from this server. # - Require all granted - + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> + </Directory> # ++++++ apache2-errors.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -40,7 +40,13 @@ Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback </Directory> ++++++ apache2-httpd.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -150,14 +150,26 @@ <Directory /> Options None AllowOverride None - Require all denied + <IfModule !mod_access_compat.c> + Require all denied + </IfModule> + <IfModule mod_access_compat.c> + Order deny,allow + Deny from all + </IfModule> </Directory> # use .htaccess files for overriding, AccessFileName .htaccess # and never show them <Files ~ "^\.ht"> - Require all denied + <IfModule !mod_access_compat.c> + Require all denied + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Deny from all + </IfModule> </Files> # List of resources to look for when the client requests a directory ++++++ apache2-manual.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -9,7 +9,13 @@ <Directory "/usr/share/apache2/manual"> Options Indexes AllowOverride None - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> <Files *.html> SetHandler type-map ++++++ apache2-mod_info.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -7,7 +7,14 @@ <IfModule mod_info.c> <Location /server-info> SetHandler server-info - Require local + <IfModule !mod_access_compat.c> + Require local + </IfModule> + <IfModule mod_access_compat.c> + Order deny,allow + Deny from all + Allow from localhost + </IfModule> </Location> </IfModule> ++++++ apache2-mod_status.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -7,7 +7,14 @@ <IfModule mod_status.c> <Location /server-status> SetHandler server-status - Require local + <IfModule !mod_access_compat.c> + Require local + </IfModule> + <IfModule mod_access_compat.c> + Order deny,allow + Deny from all + Allow from localhost + </IfModule> </Location> </IfModule> ++++++ apache2-mod_userdir.conf ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -31,11 +31,23 @@ Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Limit> <LimitExcept GET POST OPTIONS PROPFIND> - Require all denied + <IfModule !mod_access_compat.c> + Require all denied + </IfModule> + <IfModule mod_access_compat.c> + Order deny,allow + Deny from all + </IfModule> </LimitExcept> </Directory> ++++++ apache2-vhost.template ++++++ --- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200 +++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200 @@ -60,7 +60,13 @@ <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin"> AllowOverride None Options +ExecCGI -Includes - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory> @@ -115,7 +121,13 @@ # # Controls who can get stuff from this server. # - Require all granted + <IfModule !mod_access_compat.c> + Require all granted + </IfModule> + <IfModule mod_access_compat.c> + Order allow,deny + Allow from all + </IfModule> </Directory>
