On Thu, Jan 09, 2014 at 09:52:57AM -0500, Jim Jagielski wrote:
Undefined means that the specification does not define
what happens, and that people cannot expect anything,
since what happens is implementation dependent.
As an example: Undefined means it could crash. Or, as the saying goes, the
On Thu, Jan 09, 2014 at 10:06:46AM -0500, Jim Jagielski wrote:
sweet sassy molassy... what if the implementation defines that
behavior as spawning small gnomes? Then it's OK? That
would be defined and implementation-defined, but so what?
No, it needs to output an integer (without crashing or
On Wed, Jul 10, 2013 at 03:07:56PM -0400, Jeff Trawick wrote:
I guess it seems to work in the earlier e-mail is the validation that the
API is sufficient for MPM-ITK.
Hi,
I see that 2.4.6 has been released, with no mention of open_htaccess in the
source code. Was this reverted after 2.4.5? Or
On Tue, Jul 09, 2013 at 08:53:03AM -0400, Jeff Trawick wrote:
Do you have time to test with this patch on top of 2.4.x and report back?
http://people.apache.org/~sf/open_htaccess_hook.patch
Hi,
I've tried this, adjusted mpm-itk, and it seems to work. Why do I need to
return AP_DECLINED and
On Tue, Jul 09, 2013 at 08:38:50AM -0400, Jeff Trawick wrote:
++0.5: jj: I would prefer if this sat in trunk for a few months first
OT and maybe a dumb question, but if something got two +1's and two
+0.5's, would it be considered approved or not?
Perhaps the ITK guy could test the
On Sun, Jun 09, 2013 at 11:57:54AM +0200, Stefan Fritsch wrote:
Wouldn't a hook for opening the htaccess file make more sense because
it would have more possible use cases? Then modules could use this
hook to find htaccess files somewhere else, generate/extend/filter
them on the fly, etc.
On Wed, May 22, 2013 at 02:20:03PM -0400, Jim Jagielski wrote:
I would be nice, imo, to start thinking about a 2.4.5
release Real Soon Now. We have lots of stuff added and
fixed in 2.4.5-dev and even more fun stuff in STATUS.
Let me again ask for backports of r1368121, r1388447 and r1389339
On Tue, May 28, 2013 at 04:14:55PM +0200, Graham Leggett wrote:
Let me again ask for backports of r1368121, r1388447 and r1389339
from trunk; they are required to build mpm-itk without patching Apache.
Proposed.
Thanks!
/* Steinar */
--
Homepage: http://www.sesse.net/
On Tue, Apr 30, 2013 at 08:54:47PM +0200, Lazy wrote:
mod_security + simple scripts+ ipset + iptables TARPIT in the raw table
this way You would be able to block efficiently a very large number of
ipnumbers, using
TARPIT will take care of the
delaying new bot connections at minimal cost
Hi,
I pushed mpm-itk through Coverity Scan, and since it is built together with
Apache (well, the 2.2.x series are), I happened to get some warnings for
httpd itself. I was a bit surprised, since httpd is listed as a registered
project, so surely the dev team must already know about these. Some
On Wed, Jan 02, 2013 at 03:00:50PM -0500, Jim Jagielski wrote:
I am working the balancer persist and balancer inheritance
backport patches and will be adding to 2.4's STATUS file,
at which point I'll then will be pushing for a TR ;)
Do you know if there is any activity to backport the three
On Sun, Nov 11, 2012 at 08:25:08AM -0500, Jeff Trawick wrote:
I'll have a look again soon.
Like my “soon”s, this :-)
Earlier I couldn't think of a more efficient or direct mechanism that makes
sense as an API
I guess it depends on how mpm-itk specific you want it to be. One could maybe
have
On Mon, Sep 24, 2012 at 08:44:21AM -0400, Jeff Trawick wrote:
I went ahead and committed this to trunk as r1389339. Hopefully this
completes the ability to enable mpm-itk without patches to httpd core.
I've looked at this now; sorry for the long delay. It would seem it is not
sufficient for
On Thu, Nov 08, 2012 at 08:51:50PM +0100, Steinar H. Gunderson wrote:
I've looked at this now; sorry for the long delay. It would seem it is not
sufficient for removing the patches from server/config.c (which exit if
.htaccess files cannot be opened); or am I misunderstanding something?
Sorry
On Thu, Nov 08, 2012 at 08:53:12PM +0100, Steinar H. Gunderson wrote:
I've looked at this now; sorry for the long delay. It would seem it is not
sufficient for removing the patches from server/config.c (which exit if
.htaccess files cannot be opened); or am I misunderstanding something?
Sorry
On Mon, Sep 24, 2012 at 08:44:21AM -0400, Jeff Trawick wrote:
Attached is a patch that adds a hook called just before htaccess is
opened. See if you can use that to resolve the remaining issue.
I went ahead and committed this to trunk as r1389339. Hopefully this
completes the ability to
On Wed, Aug 01, 2012 at 01:58:16PM -0400, Jeff Trawick wrote:
Your post-perdir-config patch has been committed to trunk with r1368121.
Thanks!
Attached is a patch to trunk that allows you to hook in to the stat
calls from directory walk. Call apr_stat() like core_dirwalk_stat()
but check
On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote:
Great! I'll do something about the remaining patch before long.
When the time comes, do we have any hopes of getting this back from trunk to
2.4, or would it need to wait for 2.6/3.0?
FWIW, the mpm-itk security hardening that was
On Sun, Jul 22, 2012 at 09:57:18PM +0200, Stefan Fritsch wrote:
And if it gets secured to where a code execution exploit does not grant
full root rights, I would probably be in favor of including it with httpd.
I took a look using seccomp for this, and it would seem it is actually
rather hard;
On Sun, Jul 22, 2012 at 09:57:18PM +0200, Stefan Fritsch wrote:
On reason may be that (at least in theory), mod_privileges is more
secure: Under Solaris you cannot get uid 0 unless you already have all
privileges, so an exploited httpd with mod_privileges does not give
you root. Under Linux
On Thu, Jul 19, 2012 at 05:26:23PM +0100, Nick Kew wrote:
Does it run per-dir config as root?
Yes, although it has very limited root rights; it can setuid and it can
read arbitrary files and directories, but it cannot e.g. load kernel modules
or write to arbitrary files.
How does it protect
On Thu, Jul 19, 2012 at 06:54:56PM +0100, Tim Bannister wrote:
I think there's a case for leaving itk separate, a bit like mod_fcgid. It
is a bit unusual and troubleshooting won't be straightforward.
Why would you keep mpm-itk separate but mod_privileges not?
/* Steinar */
--
Homepage:
On Fri, Jul 20, 2012 at 01:48:33PM -0400, Jeff Trawick wrote:
Why would you keep mpm-itk separate but mod_privileges not?
IMO it is not a very relevant question given the big picture:
* Most modules written for httpd are not bundled with the server or
otherwise hosted/developed at the ASF.
On Thu, Jul 19, 2012 at 05:26:23PM +0100, Nick Kew wrote:
How does it protect against such potential attacks as running an
external program as root through a RewriteMap running earlier
than the directory walk?
By the way, I actually tried this under prefork. I compiled httpd-2.4.2
with prefork
Hi,
I've asked previously on this list about inclusion of mpm-itk
(http://mpm-itk.sesse.net/) into upstream Apache; previously, the requests
have died down, mostly over discussions on security (mpm-itk does
configuration and request parsing as uid 0, although with very limited
capabilities) and
On Thu, Jul 19, 2012 at 11:27:04AM -0400, Jeff Trawick wrote:
What changes are needed to httpd trunk so that you can build mpm-itk
with apxs and enable it via LoadModule, such that mpm-itk is fully
functional? As I'm sure you're aware, prefork, worker, and event are
all untied from core
On Mon, Jun 25, 2007 at 02:36:41PM +1000, Graham Dumpleton wrote:
What specific applications are you running that require things to be
run as a distinct user? Are these applications implemented directly in
C as custom Apache modules, or are you writing stuff in other
languages, ie., such as
On Mon, Jun 25, 2007 at 08:08:03PM +1000, Graham Dumpleton wrote:
Or you can use PHP under fastcgi. With fastcgi the code would run in a
separate process and you could have any number of processes
corresponding to whatever virtual hosts you have. Because it is a
separate process it can run
On Mon, Jun 25, 2007 at 09:20:45AM +0100, Nick Kew wrote:
- mpm-itk is in production use at several sites -- for instance,
Isn't that also true of metux?
I don't know. Can you point me to any sites? Does Metux even support SSL yet?
That looks like a serious problem to me.
First there's
On Mon, Jun 25, 2007 at 08:47:03PM +1000, Graham Dumpleton wrote:
Yes, it is obviously an alternative, but FastCGI has its own sets of
quirks, and PHP under CGI too (as far as I know; I'm no PHP user).
Quirks such as? Am not asking to dispute that there aren't any, just
asking out of ignorance
On Mon, Jun 25, 2007 at 11:06:11AM -0500, William A. Rowe, Jr. wrote:
That said, have you considered a design where there are separate pools
of processes per-user, and these would be dispatched after the headers
are processed to the appropriate child?
Yes, I have considered it briefly, and
On Mon, Jun 25, 2007 at 12:13:31PM -0700, Sander Temme wrote:
How would that work for multiple requests on keptalive connections?
Wouldn't that allow me to send a sequence like
GET /yourpage HTTP/1.1
Host: yourhost.com
Connection: Keep-Alive
...
which would be dispatched to run as
[Please Cc me on any replies, I'm not subscribed to the list]
Hi,
I'd like to request the inclusion of the ITK MPM (mpm-itk) as an official MPM
in the Apache tree, for Apache 2.4/3.0. mpm-itk is basically a modified
prefork allowing each vhost to run as a different uid/gid, ie. sort of like
what
33 matches
Mail list logo