Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2015-05-28 09:48:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2"
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2015-05-16 20:07:24.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2015-05-28 09:48:36.000000000 +0200
@@ -1,0 +2,10 @@
+Mon May 25 10:27:13 UTC 2015 - pgajdos@suse.com
+
+- access_compat now built as shared and disabled by default
+- amend config to use also old syntax when access_compat is
+ loaded
+- added apache2-README-access_compat.txt
+- added apache-find-directive script
+- see [bnc#896083] and its duplicates
+
+-------------------------------------------------------------------
New:
----
apache-find-directives
apache2-README-access_compat.txt
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -45,7 +45,7 @@
%define httpdgroup www
%if 0%{?suse_version} >= 1220
%define runtimedir /run
-%define mods_static access_compat unixd systemd
+%define mods_static unixd systemd
%else
%define runtimedir %{_localstatedir}/run
%define mods_static access_compat unixd
@@ -70,6 +70,7 @@
Source23: apache2-README.QUICKSTART
Source24: apache2-README.default-vhost
Source25: gensslcert
+Source26: apache2-README-access_compat.txt
Source27: %{name}.logrotate
Source28: permissions.%{name}
Source29: apache-ssl-stuff.tar.bz2
@@ -110,6 +111,7 @@
Source142: start_apache2
Source143: apache2-systemd-ask-pass
Source144: apache2.service
+Source145: apache-find-directives
Patch2: httpd-2.1.3alpha-layout.dif
Patch23: httpd-2.4.10-apachectl.patch
#Patch65: httpd-2.0.49-log_server_status.dif
@@ -319,6 +321,8 @@
cp %{SOURCE23} ./${b##%{name}-}
c=$(basename %{SOURCE24})
cp %{SOURCE24} ./${c##%{name}-}
+d=$(basename %{SOURCE26})
+cp %{SOURCE26} ./${d##%{name}-}
#
# replace PLATFORM string that's seen in the "Server:" header
@@ -516,6 +520,7 @@
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -m 755 $RPM_SOURCE_DIR/apache2-check_forensic %{buildroot}/%{_bindir}/check_forensic%{vers}
+install -m 755 $RPM_SOURCE_DIR/apache-find-directives %{buildroot}/%{_bindir}
#
# xml stuff
install -d %{buildroot}%{_datadir}/omc/svcinfo.d/
@@ -811,6 +816,7 @@
%{_sbindir}/%{httpd}-prefork
%dir %{_libdir}/%{name}-prefork
# hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-prefork/mod_access_compat.so
%{_libdir}/%{name}-prefork/mod_actions.so
%{_libdir}/%{name}-prefork/mod_alias.so
%{_libdir}/%{name}-prefork/mod_allowmethods.so
@@ -929,6 +935,7 @@
%{_sbindir}/%{httpd}-worker
%dir %{_libdir}/%{name}-worker
# hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-worker/mod_access_compat.so
%{_libdir}/%{name}-worker/mod_actions.so
%{_libdir}/%{name}-worker/mod_alias.so
%{_libdir}/%{name}-worker/mod_allowmethods.so
@@ -1047,6 +1054,7 @@
%{_sbindir}/%{httpd}-event
%dir %{_libdir}/%{name}-event
# hardcoded list so we do not lose mods by accident
+%{_libdir}/%{name}-event/mod_access_compat.so
%{_libdir}/%{name}-event/mod_actions.so
%{_libdir}/%{name}-event/mod_alias.so
%{_libdir}/%{name}-event/mod_allowmethods.so
@@ -1195,6 +1203,7 @@
%{_mandir}/man8/fcgistarter2.8.*
%{_bindir}/check_forensic%{vers}
%{_bindir}/dbmmanage%{vers}
+%{_bindir}/apache-find-directives
%{_bindir}/gensslcert
%{_bindir}/htdbm%{vers}
%{_bindir}/htdigest%{vers}
++++++ apache-find-directives ++++++
#!/bin/bash
exit_code=1
function usage
{
echo "Check for directives in apache configuration (including"
echo "potentially reachable .htaccess files)"
echo ""
echo "Usage: $0 [options]"
echo ""
echo " options: "
echo " -s string system configuration root"
echo " [default: $system_conf_root]"
echo " -d string directives to search"
echo " [default: $check_directives]"
echo " -n string htaccess file name(s)"
echo " [default: $htaccess_names]"
echo " -q do not print where directive(s) was found"
echo " -v as -v plus trace and matched lines"
echo " -h this help"
echo ""
echo "Return Value: 0 at least one occurence found in apache config"
echo " 1 no occurence found"
echo " 2 wrong arguments"
echo ""
echo "Example: "
echo " $ $0 -s '/etc/apache2/default-server.conf' -n '.htaccess .htconfig' -d 'Require' -v"
echo " Checking /etc/apache2/default-server.conf .. FOUND"
echo " Checking /srv/www/htdocs/foo/.htaccess .. FOUND"
echo " Checking /etc/apache2/conf.d/gitweb.conf .. FOUND"
echo " $"
}
function find_directives_in_file
{
file=$1
pattern=$(echo $check_directives |
sed 's:\([^ \t]\+\):\\b\1\\b:g' |
sed 's:\s\+:\\|:g')
output=$(cat $file | sed 's:#.*::' | grep -i "$pattern")
if [ $? -eq 0 ]; then
[ $verbosity -ge 1 ] && echo " Checking $file .. FOUND"
[ $verbosity -ge 2 ] && echo " Output: [$output]"
exit_code=0
else
[ $verbosity -ge 2 ] && echo " Checking $file .. NOT FOUND"
fi
}
function check_conf_file
{
conf_file=$1
[ $verbosity -ge 2 ] && echo "CONFIG FILE: $conf_file"
find_directives_in_file $conf_file
# check all directories with AllowOverride not None
# for .htaccess files
directories=$(grep -i ':\1:I' |
tr -d '"')
find_names=$(echo $htaccess_names |
sed 's:^\s\+::' |
sed 's:\s\+$::' |
sed 's:\s\+: -o -name :g' |
sed 's:^:-name :')
for dir in $directories; do
[ $verbosity -ge 2 ] && echo " Directory: $dir"
allow_override=$(grep -i -Pzo "(?s)&2
usage
exit 2
;;
:)
echo "ERROR: Option -$OPTARG requires an argument." >&2
usage
exit 2
;;
esac
done
check_conf_file $system_conf_root
exit $exit_code
++++++ apache2-README-access_compat.txt ++++++
Dear System Administrator,
with apache 2.4, some changes have been introduced that affect apache's
access control scheme.
Previously, the directives "Allow", "Deny" and "Order" have determined
if access to a resource has been granted with apache 2.2.
Example (from /etc/apache2/httpd.conf, the main apache configuration file):
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
With 2.4, these directives have been replaced by the "Require" directive,
which is contained in the mod_authz_core module, and enhanced by the
mod_authz_host module.
"Require" understands several regulative groups, such as
env access granted if an apache environment variable is set
method access granted only for given HTTP methods (GET, POST, ...)
expr access granted if the expression following expr evaluates to true
user access granted if the named users can access the resource
group analogous to user for groups
valid-user access granted if a valid user requests it
ip access granted if the client's IP address matches
all granted unconditionally accepted/granted
all denied unconditionally denied access
By consequence, the set of 2.2 directives
Order deny,allow
Deny from all
can be translated to the apache 2.4 Require directive
Require all denied
The SUSE Linux Enterprise 12 package set for apache comes with a compatibility
module called mod_access_compat, which, if loaded, causes apache to understand
the 2.2 "Allow/Deny" directives. Unfortunately, the mixed usage of the
2.2 "Allow/Deny" and the 2.4 "Require" directive will lead to either unexpected
or inconclusive results. By consequence, one should decide if the 2.2 or the
2.4 access control mimics shall be used.
Fortunately, it is easy to switch from the new back to the old scheme:
a2enmod access_compat
will enable the 2.2 scheme,
a2enmod -d access_compat
will disable the old scheme again, thereby enabling the new scheme.
Of course, an apache restart is needed:
systemctl restart apache2
The SUSE apache configuration framework can work with both the new and the
old scheme, conditional if the access_compat apache module is loaded.
Additional pointers about the access controls new in apache 2.4 and about
the access_compat module can be found here:
http://httpd.apache.org/docs/current/mod/mod_authz_core.html
http://httpd.apache.org/docs/current/mod/mod_authz_host.html
http://httpd.apache.org/docs/current/mod/mod_access_compat.html
++++++ apache2-default-server.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -25,7 +25,13 @@
# Options FileInfo AuthConfig Limit
AllowOverride None
# Controls who can get stuff from this server.
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>
# Aliases: aliases can be added as needed (with no limit). The format is
@@ -45,7 +51,13 @@
Options Indexes MultiViews
AllowOverride None
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>
# ScriptAlias: This controls which directories contain server scripts.
@@ -63,7 +75,13 @@
AllowOverride None
Options +ExecCGI -Includes
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>
# UserDir: The name of the directory that is appended onto a user's home
++++++ apache2-default-vhost-ssl.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -198,9 +198,18 @@
#
#<limit GET POST>
# <RequireAny>
- # Require valid-user
- # Require local
- # Require host .example.com
+ #
+ # Require valid-user
+ # Require local
+ # Require host .example.com
+ # </IfModule>
+ # <IfModule mod_access_compat.c>
+ # Order Deny,Allow
+ # Deny from All
+ # Allow from 127.0.0.1
+ # Allow from .example.com
+ # Satisfy any
+ # </IfModule>
# </RequireAny>
#</limit>
</Directory>
++++++ apache2-default-vhost.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -52,7 +52,13 @@
AllowOverride None
Options +ExecCGI -Includes
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>
@@ -108,8 +114,14 @@
#
# Controls who can get stuff from this server.
#
- Require all granted
-
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
+
</Directory>
#
++++++ apache2-errors.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -40,7 +40,13 @@
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback
</Directory>
++++++ apache2-httpd.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -150,14 +150,26 @@
<Directory />
Options None
AllowOverride None
- Require all denied
+
+ Require all denied
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order deny,allow
+ Deny from all
+ </IfModule>
</Directory>
# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
- Require all denied
+
+ Require all denied
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Deny from all
+ </IfModule>
</Files>
# List of resources to look for when the client requests a directory
++++++ apache2-manual.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -9,7 +9,13 @@
Options Indexes
AllowOverride None
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
SetHandler type-map
++++++ apache2-mod_info.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -7,7 +7,14 @@
<IfModule mod_info.c>
SetHandler server-info
- Require local
+
+ Require local
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order deny,allow
+ Deny from all
+ Allow from localhost
+ </IfModule>
</Location>
</IfModule>
++++++ apache2-mod_status.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -7,7 +7,14 @@
<IfModule mod_status.c>
SetHandler server-status
- Require local
+
+ Require local
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order deny,allow
+ Deny from all
+ Allow from localhost
+ </IfModule>
</Location>
</IfModule>
++++++ apache2-mod_userdir.conf ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -31,11 +31,23 @@
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
- Require all denied
+
+ Require all denied
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order deny,allow
+ Deny from all
+ </IfModule>
</LimitExcept>
</Directory>
++++++ apache2-vhost.template ++++++
--- /var/tmp/diff_new_pack.4LDgPy/_old 2015-05-28 09:48:39.000000000 +0200
+++ /var/tmp/diff_new_pack.4LDgPy/_new 2015-05-28 09:48:39.000000000 +0200
@@ -60,7 +60,13 @@
AllowOverride None
Options +ExecCGI -Includes
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>
@@ -115,7 +121,13 @@
#
# Controls who can get stuff from this server.
#
- Require all granted
+
+ Require all granted
+ </IfModule>
+ <IfModule mod_access_compat.c>
+ Order allow,deny
+ Allow from all
+ </IfModule>
</Directory>