scorebord permissions

2012-09-01 Thread Nick Edwards 
Hello,

I have an issue where, apache is, when using graceful reload, setting
perms for domains as root

-rw---  1 root   root 44 Sep  1 05:59 somedomain


yet if I delete this and either   click on URL, or, stop apache and
cleanly start apache it is recreated cleanly as:

-rw---  1 apache   apache 44 Sep  1 06:00 somedomain

stop/start/reload are all called from the same sh file.

This behaviour also exists when using  apachectl directly

Is this a bug?

mod_ssl and pkg-config on AIX (Re: [Vote] httpd 2.2.23 release)

2012-09-01 Thread Kaspar Brand 
On 27.08.2012 15:42, Michael Felt wrote:
 FYI: I get an error message from configure that I do not understand.
 
 + ./configure
 --enable-layout=AIX
 --with-apr=/opt/bin/apr-1-config
 --with-apr-util=/opt/bin/apu-1-config
 --with-mpm=worker
 --enable-ssl
 --enable-mods-shared=all  build/aix/configure.out
 Package openssl was not found in the pkg-config search path.
 Perhaps you should add the directory containing `openssl.pc'
 to the PKG_CONFIG_PATH environment variable
 No package 'openssl' found

Does AIX come with a bundled version of OpenSSL (under /usr or similar)?

How does the configure output look like after the checking whether to enable
mod_ssl... line (up to checking whether to enable 
mod_optional_hook_export...)?

With 2.2.x, configure will try pkg-config for figuring out the -l, -I and
-L flags - and fall back to -lssl -lcrypto if pkg-config fails for some
reason:

  if test $ap_ssltk_type = openssl; then
if test x$ap_ssltk_base != x -a \
-f ${ap_ssltk_base}/lib/pkgconfig/openssl.pc; then
  dnl Ensure that the given path is used by pkg-config too, otherwise
  dnl the system openssl.pc might be picked up instead.
  
PKG_CONFIG_PATH=${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}
  export PKG_CONFIG_PATH
fi
if test -n $PKGCONFIG; then
  ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl`
  if test $? -eq 0; then
pkglookup=`$PKGCONFIG --cflags-only-I openssl`
APR_ADDTO(CPPFLAGS, [$pkglookup])
APR_ADDTO(INCLUDES, [$pkglookup])
pkglookup=`$PKGCONFIG --libs-only-L --libs-only-other openssl`
APR_ADDTO(LDFLAGS, [$pkglookup])
  else
ap_ssltk_libs=-lssl -lcrypto `$apr_config --libs`
  fi
else
  ap_ssltk_libs=-lssl -lcrypto `$apr_config --libs`
fi
  fi

 However, the packaging proceeds fine.

It's kind of expected behavior, yes. Replacing

  ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl`

by

  ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl 2/dev/null`

would suppress the (perhaps confusing) message.

Kaspar

Re: how to avoid balancer manager nonce?

2012-09-01 Thread Jim Jagielski 
Another alternative would be to have the nonce also possibly
set at config-time and, if unset, then use the uuid. That way
it could also be used as a sort of shared-secret ;)

ProxySet nonce=applepie!

Longer term, I think that's a more strategic solution.

On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote:

 On Friday 31 August 2012, Eric Covener wrote:
 I'm fighting a problem on new releases of AIX where in some
 environments, /dev/random seems to run out of entropy way too
 quick.
 
 I'd like a way to suppress the apr_uuid_get-
 apr_generate_random_bytes() in mod_proxy_balancer used for the
 balancer-manager nonce in affected environments.
 
 I was thinking a global BalancerManager off could be used for
 this and would also have the upside of fixing the SetHandler
 htaccess problem.
 
 Alternatives would be to find a weaker source for the nonce, or
 allow tto opt out / use a hard-coded one.
 
 Any suggestions?
 
 For 2.4, you could use ap_random_insecure_bytes(). It should be good 
 enough for a nonce.
 
 If you add a BalancerManager off, it should be per directory, or at 
 least per vhost. Otherwise it would not help that much with the 
 SetHandler htaccess problem.

Re: how to avoid balancer manager nonce?

2012-09-01 Thread Ben Laurie 
On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote:
 Another alternative would be to have the nonce also possibly
 set at config-time and, if unset, then use the uuid. That way
 it could also be used as a sort of shared-secret ;)

 ProxySet nonce=applepie!

 Longer term, I think that's a more strategic solution.

What? Nonces are one-time use only, by definition.

Better, IMO, would be to either use insecure random, or, better still,
seed a PRNG from secure random once and use that from then on (for all
randomness).

Or switch to FreeBSD where /dev/random does not block :-)

 On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote:

 On Friday 31 August 2012, Eric Covener wrote:
 I'm fighting a problem on new releases of AIX where in some
 environments, /dev/random seems to run out of entropy way too
 quick.

 I'd like a way to suppress the apr_uuid_get-
 apr_generate_random_bytes() in mod_proxy_balancer used for the
 balancer-manager nonce in affected environments.

 I was thinking a global BalancerManager off could be used for
 this and would also have the upside of fixing the SetHandler
 htaccess problem.

 Alternatives would be to find a weaker source for the nonce, or
 allow tto opt out / use a hard-coded one.

 Any suggestions?

 For 2.4, you could use ap_random_insecure_bytes(). It should be good
 enough for a nonce.

 If you add a BalancerManager off, it should be per directory, or at
 least per vhost. Otherwise it would not help that much with the
 SetHandler htaccess problem.

Re: how to avoid balancer manager nonce?

2012-09-01 Thread Jim Jagielski 

On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote:

 On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote:
 Another alternative would be to have the nonce also possibly
 set at config-time and, if unset, then use the uuid. That way
 it could also be used as a sort of shared-secret ;)
 
ProxySet nonce=applepie!
 
 Longer term, I think that's a more strategic solution.
 
 What? Nonces are one-time use only, by definition.
 

Then we change the name from nonce to something else... Preventing
or arguing against a solid, reliable fix and enhancement because
it's called something is pretty bogus.

Or the other thing, other than renaming it, is to not be so
pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;)

 Better, IMO, would be to either use insecure random, or, better still,
 seed a PRNG from secure random once and use that from then on (for all
 randomness).
 
 Or switch to FreeBSD where /dev/random does not block :-)
 
 On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote:
 
 On Friday 31 August 2012, Eric Covener wrote:
 I'm fighting a problem on new releases of AIX where in some
 environments, /dev/random seems to run out of entropy way too
 quick.
 
 I'd like a way to suppress the apr_uuid_get-
 apr_generate_random_bytes() in mod_proxy_balancer used for the
 balancer-manager nonce in affected environments.
 
 I was thinking a global BalancerManager off could be used for
 this and would also have the upside of fixing the SetHandler
 htaccess problem.
 
 Alternatives would be to find a weaker source for the nonce, or
 allow tto opt out / use a hard-coded one.
 
 Any suggestions?
 
 For 2.4, you could use ap_random_insecure_bytes(). It should be good
 enough for a nonce.
 
 If you add a BalancerManager off, it should be per directory, or at
 least per vhost. Otherwise it would not help that much with the
 SetHandler htaccess problem.

Re: how to avoid balancer manager nonce?

2012-09-01 Thread Ben Laurie 
On Sat, Sep 1, 2012 at 8:13 PM, Jim Jagielski j...@jagunet.com wrote:

 On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote:

 On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote:
 Another alternative would be to have the nonce also possibly
 set at config-time and, if unset, then use the uuid. That way
 it could also be used as a sort of shared-secret ;)

ProxySet nonce=applepie!

 Longer term, I think that's a more strategic solution.

 What? Nonces are one-time use only, by definition.


 Then we change the name from nonce to something else... Preventing
 or arguing against a solid, reliable fix and enhancement because
 it's called something is pretty bogus.

Sure, if its not a nonce, fine by me. Is it not a nonce? What is its purpose?

 Or the other thing, other than renaming it, is to not be so
 pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;)

Whatever. The core problem is that /dev/random blocks, and we've
already seen that working around this leads to problems.


 Better, IMO, would be to either use insecure random, or, better still,
 seed a PRNG from secure random once and use that from then on (for all
 randomness).

 Or switch to FreeBSD where /dev/random does not block :-)

 On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote:

 On Friday 31 August 2012, Eric Covener wrote:
 I'm fighting a problem on new releases of AIX where in some
 environments, /dev/random seems to run out of entropy way too
 quick.

 I'd like a way to suppress the apr_uuid_get-
 apr_generate_random_bytes() in mod_proxy_balancer used for the
 balancer-manager nonce in affected environments.

 I was thinking a global BalancerManager off could be used for
 this and would also have the upside of fixing the SetHandler
 htaccess problem.

 Alternatives would be to find a weaker source for the nonce, or
 allow tto opt out / use a hard-coded one.

 Any suggestions?

 For 2.4, you could use ap_random_insecure_bytes(). It should be good
 enough for a nonce.

 If you add a BalancerManager off, it should be per directory, or at
 least per vhost. Otherwise it would not help that much with the
 SetHandler htaccess problem.