PATCH: "persistent state" directory default/config/API

2018-10-02 Thread Joe Orton 
On Fri, Sep 28, 2018 at 11:22:22AM +0100, Joe Orton wrote:
> Example users are the mod_dav_fs lock database, mod_md's MD data store. 
> With an API & default, these can have hard-coded default paths so the 
> modules work without needing configuration.  The proxy cache root could 
> count here too.

FWIW, part of the motivation here is being able to have a common 
security policy for this kind of data, e.g. for SELinux.  When modules 
like mod_md/mod_dav want to drop data at $Root/$Random_Name it is 
hard/impossible to have SELinux policy which allows modules to work by 
default.  If we have three categories of data separated into three 
directories:

- run-time data: root-writable, temporary, readable by unprivileged children
- log data: root-writable, *append-only* data (open fails w/o O_APPEND)
- state data: unprivileged children have random access read/write

we can have SELinux policy which "just works", without needing custom 
policy rules for mod_dav, and for mod_md, etc etc.

Two patches attached: 

a) PoC implementation of StateDir/ap_state_dir_relative()

b) patches showing how this can be used in modules/.  Note this does 
move the hard-coded default MdStoreDir for 2.5.x

I'll commit later in the week if there is no feedback.

Regards, Joe
Index: Makefile.in
===
--- Makefile.in (revision 1842598)
+++ Makefile.in (working copy)
@@ -218,6 +218,7 @@
 install-other:
@test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) 
$(DESTDIR)$(logfiledir)
@test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) 
$(DESTDIR)$(runtimedir)
+   @test -d $(DESTDIR)$(statedir) || $(MKINSTALLDIRS) $(DESTDIR)$(statedir)
@for ext in dll x; do \
file=apachecore.$$ext; \
if test -f $$file; then \
Index: acinclude.m4
===
--- acinclude.m4(revision 1842598)
+++ acinclude.m4(working copy)
@@ -45,7 +45,7 @@
   APACHE_SUBST(installbuilddir)
   APACHE_SUBST(runtimedir)
   APACHE_SUBST(proxycachedir)
-  APACHE_SUBST(davlockdb)
+  APACHE_SUBST(statedir)
   APACHE_SUBST(other_targets)
   APACHE_SUBST(progname)
   APACHE_SUBST(prefix)
@@ -876,7 +876,7 @@
   APACHE_SUBST_EXPANDED_ARG(runtimedir)
   APACHE_SUBST_EXPANDED_ARG(logfiledir)
   APACHE_SUBST_EXPANDED_ARG(proxycachedir)
-  APACHE_SUBST_EXPANDED_ARG(davlockdb)
+  APACHE_SUBST_EXPANDED_ARG(statedir)
 ])
 
 dnl 
Index: config.layout
===
--- config.layout   (revision 1842598)
+++ config.layout   (working copy)
@@ -29,6 +29,7 @@
 includedir:${prefix}/include
 localstatedir: ${prefix}
 runtimedir:${localstatedir}/logs
+statedir:  ${localstatedir}/state
 logfiledir:${localstatedir}/logs
 proxycachedir: ${localstatedir}/proxy
 
@@ -54,6 +55,7 @@
 includedir:${prefix}/include+
 localstatedir: ${prefix}/var+
 runtimedir:${localstatedir}/run
+statedir:  ${localstatedir}/state
 logfiledir:${localstatedir}/log
 proxycachedir: ${localstatedir}/proxy
 
@@ -78,6 +80,7 @@
 includedir:
/System/Library/Frameworks/Apache.framework/Versions/2.0/Headers
 localstatedir: /var
 runtimedir:${prefix}/Logs
+statedir:  ${prefix}/State
 logfiledir:${prefix}/Logs
 proxycachedir: ${prefix}/ProxyCache
 
@@ -102,6 +105,7 @@
 includedir:${prefix}/include+
 localstatedir: /var
 runtimedir:${localstatedir}/run
+statedir:  ${localstatedir}/state
 logfiledir:${localstatedir}/log+
 proxycachedir: ${runtimedir}/proxy
 
@@ -126,6 +130,7 @@
 includedir:${prefix}/include/apache
 localstatedir: /var
 runtimedir:${localstatedir}/run
+statedir:  ${localstatedir}/lib/httpd
 logfiledir:${localstatedir}/log/httpd
 proxycachedir: ${localstatedir}/cache/httpd
  
@@ -151,6 +156,7 @@
 includedir:${prefix}/include/httpd
 runtimedir:/run/httpd
 logfiledir:${localstatedir}/log/httpd
+statedir:  ${localstatedir}/lib/httpd
 proxycachedir: ${localstatedir}/cache/httpd/proxy
  
 
@@ -175,6 +181,7 @@
 localstatedir: /var${prefix}
 runtimedir:${localstatedir}/run
 logfiledir:${localstatedir}/logs
+statedir:  ${localstatedir}/state
 proxycachedir: ${localstatedir}/proxy
 
 
@@ -197,6 +204,7 @@
 cgidir:${datadir}/cgi-bin
 includedir:${prefix}/include/apache
 localstatedir: /var/lib/httpd
+statedir:  /var/lib/httpd
 runtimedir:/var/run
 logfiledir:/var/log/httpd
 proxycachedir: /var/cache/httpd
@@ -223,6 +231,7 @@
 localstatedir: /var
 runtimedir:${localstatedir}/run
 logfiledir:${localstatedir}/log/httpd
+statedir:  ${prefix}/state
 proxycachedir: ${localstatedir}/proxy
 
 
@@ -246,6 +255,7 @@
 includedir:

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

2018-10-02 Thread Julian Reschke 

On 9/25/2018 4:26 PM, Barry Pollard wrote:

I'm confused.

Why are there no changes to mod_http2 mentioned in: 
http://www.apache.org/dist//httpd/CHANGES_2.4.35 
 to 
presumably address this CVE?
Or does one of the other changes cover this? (No as far as I can see but 
could be wrong).
In previous changes files (e.g. 
http://www.apache.org/dist//httpd/CHANGES_2.4.34) 
these were listed at the top of the changes file.


Also should this not be mentioned in: 
https://httpd.apache.org/security/vulnerabilities_24.html?

Apologies if I've jumped the gun and this is still in progress.
...


FWIW, it *is* mentioned in 
, which as a 
last modification date of September 25...


Best regards, Julian