scorebord permissions
Hello, I have an issue where, apache is, when using graceful reload, setting perms for domains as root -rw--- 1 root root 44 Sep 1 05:59 somedomain yet if I delete this and either click on URL, or, stop apache and cleanly start apache it is recreated cleanly as: -rw--- 1 apache apache 44 Sep 1 06:00 somedomain stop/start/reload are all called from the same sh file. This behaviour also exists when using apachectl directly Is this a bug?
mod_ssl and pkg-config on AIX (Re: [Vote] httpd 2.2.23 release)
On 27.08.2012 15:42, Michael Felt wrote: FYI: I get an error message from configure that I do not understand. + ./configure --enable-layout=AIX --with-apr=/opt/bin/apr-1-config --with-apr-util=/opt/bin/apu-1-config --with-mpm=worker --enable-ssl --enable-mods-shared=all build/aix/configure.out Package openssl was not found in the pkg-config search path. Perhaps you should add the directory containing `openssl.pc' to the PKG_CONFIG_PATH environment variable No package 'openssl' found Does AIX come with a bundled version of OpenSSL (under /usr or similar)? How does the configure output look like after the checking whether to enable mod_ssl... line (up to checking whether to enable mod_optional_hook_export...)? With 2.2.x, configure will try pkg-config for figuring out the -l, -I and -L flags - and fall back to -lssl -lcrypto if pkg-config fails for some reason: if test $ap_ssltk_type = openssl; then if test x$ap_ssltk_base != x -a \ -f ${ap_ssltk_base}/lib/pkgconfig/openssl.pc; then dnl Ensure that the given path is used by pkg-config too, otherwise dnl the system openssl.pc might be picked up instead. PKG_CONFIG_PATH=${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH} export PKG_CONFIG_PATH fi if test -n $PKGCONFIG; then ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl` if test $? -eq 0; then pkglookup=`$PKGCONFIG --cflags-only-I openssl` APR_ADDTO(CPPFLAGS, [$pkglookup]) APR_ADDTO(INCLUDES, [$pkglookup]) pkglookup=`$PKGCONFIG --libs-only-L --libs-only-other openssl` APR_ADDTO(LDFLAGS, [$pkglookup]) else ap_ssltk_libs=-lssl -lcrypto `$apr_config --libs` fi else ap_ssltk_libs=-lssl -lcrypto `$apr_config --libs` fi fi However, the packaging proceeds fine. It's kind of expected behavior, yes. Replacing ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl` by ap_ssltk_libs=`$PKGCONFIG --libs-only-l openssl 2/dev/null` would suppress the (perhaps confusing) message. Kaspar
Re: how to avoid balancer manager nonce?
Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote: On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Then we change the name from nonce to something else... Preventing or arguing against a solid, reliable fix and enhancement because it's called something is pretty bogus. Or the other thing, other than renaming it, is to not be so pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;) Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sat, Sep 1, 2012 at 8:13 PM, Jim Jagielski j...@jagunet.com wrote: On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote: On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Then we change the name from nonce to something else... Preventing or arguing against a solid, reliable fix and enhancement because it's called something is pretty bogus. Sure, if its not a nonce, fine by me. Is it not a nonce? What is its purpose? Or the other thing, other than renaming it, is to not be so pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;) Whatever. The core problem is that /dev/random blocks, and we've already seen that working around this leads to problems. Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.