cvs commit: apachen/htdocs/manual/mod core.html
marc97/12/22 13:25:11
Modified:htdocs/manual/mod core.html
Log:
Misc cleanups:
- cleanup HTML, e -- em
- remove bogus security warning about LockFile
- add warning about possible denial of service attack with
LockFile in world writable directory
- remove security encouragement to use inetd; add warning that
inetd isn't well supported.
Revision ChangesPath
1.88 +11 -10apachen/htdocs/manual/mod/core.html
Index: core.html
===
RCS file: /export/home/cvs/apachen/htdocs/manual/mod/core.html,v
retrieving revision 1.87
retrieving revision 1.88
diff -u -r1.87 -r1.88
--- core.html 1997/12/14 01:04:56 1.87
+++ core.html 1997/12/22 21:25:10 1.88
@@ -371,7 +371,7 @@
lt;Directory ~ quot;^/www/.*/[0-9]{3}quot;gt;
/pre
-would match directories in /www/ that consisted of three numbers./p
+would match directories in /www/ that consisted of three numbers.
pIf multiple (non-regular expression) directory sections match the
directory (or its parents) containing
@@ -1029,8 +1029,11 @@
must be stored on a local disk/b. The PID of the main
server process is automatically appended to the filename. p
-The LockFile is subject to the same warnings about log file placement and
-a href=../misc/security_tips.html#serverrootsecurity/a.
+STRONGSECURITY:/STRONG It is best to avoid putting this file in a
+world writable directory such as CODE/var/tmp/CODE because someone
+could create a denial of service attack and prevent the server from
+starting by creating a lockfile with the same name as the one the
+server will try to create.p
PHR
@@ -1369,7 +1372,7 @@
H2A name=rlimitRLimitCPU/A A NAME=rlimitcpudirective/A/H2
!--%plaintext lt;?INDEX {\tt RLimitCPU} directivegt; --
strongSyntax:/strong RLimitCPU em# or 'max'/em em[# or
'max']/embr
-strongDefault:/strong eUnset; uses operating system defaults/ebr
+strongDefault:/strong emUnset; uses operating system defaults/embr
strongContext:/strong server config, virtual hostbr
strongStatus:/strong corebr
strongCompatibility:/strong RLimitCPU is only available in Apache 1.2
and laterp
@@ -1388,7 +1391,7 @@
h2A name=rlimitmemRLimitMEM directive/A/h2
!--%plaintext lt;?INDEX {\tt RLimitMEM} directivegt; --
strongSyntax:/strong RLimitMEM em# or 'max'/em em[# or
'max']/embr
-strongDefault:/strong eUnset; uses operating system defaults/ebr
+strongDefault:/strong emUnset; uses operating system defaults/embr
strongContext:/strong server config, virtual hostbr
strongStatus:/strong corebr
strongCompatibility:/strong RLimitMEM is only available in Apache 1.2
and laterp
@@ -1407,7 +1410,7 @@
h2A name=rlimitnprocRLimitNPROC directive/A/h2
!--%plaintext lt;?INDEX {\tt RLimitNPROC} directivegt; --
strongSyntax:/strong RLimitNPROC em# or 'max'/em em[# or
'max']/embr
-strongDefault:/strong eUnset; uses operating system defaults/ebr
+strongDefault:/strong emUnset; uses operating system defaults/embr
strongContext:/strong server config, virtual hostbr
strongStatus:/strong corebr
strongCompatibility:/strong RLimitNPROC is only available in Apache 1.2
and laterp
@@ -1605,16 +1608,14 @@
connection received, a new copy of the server is started from scratch;
after the connection is complete, this program exits. There is a high price
to
pay per connection, but for security reasons, some admins prefer this option.
+FONT COLOR=redInetd mode is no longer recommended and does not always
+work properly. Avoid it if at all possible./FONT
p
Standalone is the most common setting for ServerType since
it is far more efficient. The server is started once, and services all
subsequent connections. If you intend running Apache to serve a busy site,
standalone will probably be your only option.p
-
-SECURITY: if you are paranoid about security, run in inetd mode. Security
-cannot be guaranteed in either, but whilst most people are happy to use
-standalone, inetd is probably least prone to attack.phr
h2A name=startserversStartServers directive/A/h2
!--%plaintext lt;?INDEX {\tt StartServers} directivegt; --
cvs commit: apachen/conf httpd.conf-dist
marc97/12/22 13:39:58 Modified:conf httpd.conf-dist Log: Add sample for LockFile directive to conf file. At least now people have another place to ignore it in the docs. Revision ChangesPath 1.18 +10 -0 apachen/conf/httpd.conf-dist Index: httpd.conf-dist === RCS file: /export/home/cvs/apachen/conf/httpd.conf-dist,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- httpd.conf-dist 1997/11/21 14:59:00 1.17 +++ httpd.conf-dist 1997/12/22 21:39:58 1.18 @@ -72,6 +72,16 @@ # no two invocations of Apache share the same scoreboard file. ScoreBoardFile logs/apache_status +# The LockFile directive sets the path to the lockfile used when Apache +# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or +# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at +# its default value. The main reason for changing it is if the logs +# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL +# DISK. The PID of the main server process is automatically appended to +# the filename. +# +#LockFile logs/accept.lock + # ServerName allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e. use # www instead of the host's real name).
cvs commit: apachen/src/modules/standard mod_include.c
martin 97/12/22 13:53:18
Modified:.STATUS
src/modules/standard mod_include.c
Log:
A couple of break;s were missing from switch() statements; the result
would have been wrong or missing error messages in the case of invalid
expressions in SSI files.
Reviewed by:Jim Jagielski, Dean Gaudet
Revision ChangesPath
1.15 +3 -6 apachen/STATUS
Index: STATUS
===
RCS file: /home/cvs/apachen/STATUS,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -u -r1.14 -r1.15
--- STATUS1997/12/22 18:00:02 1.14
+++ STATUS1997/12/22 21:52:59 1.15
@@ -47,6 +47,7 @@
* Mark Bixby's [PORT] MPE porting patch
* Dean's [PATCH] Re: problem with a .gif and v2.1.4
* Dean's [PATCH] util_date.c needless reinitialization
+* Martin's [PATCH] Gimme a break! (missing break;s in mod_include)
Available:
@@ -56,11 +57,11 @@
* Dean's [PATCH] Re: [BUGFIXES] Wrong GID for PID file and UMASK for logs
[EMAIL PROTECTED]
- Status: Dean +1
+ Status: Dean +1, Martin +1
* Dean's [PATCH] two bugs in mod_autoindex
[EMAIL PROTECTED]
- Status: Dean +1, Randy +1
+ Status: Dean +1, Randy +1, Martin +1
* Dean's [PATCH] fix Rasmus' chunking error
[EMAIL PROTECTED]
@@ -77,10 +78,6 @@
* Martin's [PATCH] 36kB: Make apache compile run on an EBCDIC mainframe
[EMAIL PROTECTED]
Status: Martin +1, Dean +1
-
-* Martin's [PATCH] Gimme a break!
- [EMAIL PROTECTED]
- Status: Martin +1, Jim +1, Dean +1
* Ben Hyde's [PATCH] Serialize the update to pool.sub_* in destroy_pool
(take 2)
1.59 +11 -0 apachen/src/modules/standard/mod_include.c
Index: mod_include.c
===
RCS file: /home/cvs/apachen/src/modules/standard/mod_include.c,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -u -r1.58 -r1.59
--- mod_include.c 1997/11/09 20:40:34 1.58
+++ mod_include.c 1997/12/22 21:53:17 1.59
@@ -1098,6 +1098,7 @@
return (char *) NULL;
}
+token-type = token_string; /* the default type */
switch (ch) {
case '(':
token-type = token_lbrace;
@@ -1126,11 +1127,13 @@
token-type = token_or;
return (string + 1);
}
+break;
case '':
if (*string == '') {
token-type = token_and;
return (string + 1);
}
+break;
case '':
if (*string == '=') {
token-type = token_ge;
@@ -1192,10 +1195,12 @@
if (*(string + 1) == '|') {
goto TOKEN_DONE;
}
+break;
case '':
if (*(string + 1) == '') {
goto TOKEN_DONE;
}
+break;
case '':
goto TOKEN_DONE;
case '':
@@ -1957,6 +1962,12 @@
}
parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0);
table_set(r-subprocess_env, var, parsed_string);
+}
+else {
+aplog_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r-server,
+Invalid tag for set directive);
+rputs(error, r);
+return -1;
}
}
}
