From owner-freebsd-apache@FreeBSD.ORG Fri Mar 29 21:38:09 2013 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 92808E95 for ; Fri, 29 Mar 2013 21:38:09 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 69DDAC21 for ; Fri, 29 Mar 2013 21:38:09 +0000 (UTC) Received: by mail-ie0-f175.google.com with SMTP id c12so934587ieb.20 for ; Fri, 29 Mar 2013 14:38:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=RhhYdvjupf0I0LRetuns9ex00f6ntHNFrvx7XOzXTT8=; b=kcY0hx8bdAzqgdWJevCfFP81E1kpUzhaDu1BE50tB7y3sjIh3NOiytcXio4kyj+otS GEU/FW+Q7dQFH/k3BYI/NytgtdUN+VQGD3YylREUylGxQXP26Boxc8B1DiQJ+euhybXP Y17paD+rHSF3Hs6aHP4DdoVu2rZt0s5X4eIM4dSsO5/WoOz3gclgR7ezLYf/TlZrM/Pq MmTP/ZRr9fNEV0/GR5StP1p4gOa6lkKJZr364lz39aJ3CmuNcqOBlXSPfTG4EzK18SaD rJkmQ8G5YqwwQv2KXVCSoplpDWpTl33gipyFFFxMzVQ4CguCC3zGx+vhJLiTCidRDP3I FKGg== MIME-Version: 1.0 X-Received: by 10.50.216.164 with SMTP id or4mr161660igc.38.1364593088347; Fri, 29 Mar 2013 14:38:08 -0700 (PDT) Received: by 10.42.152.133 with HTTP; Fri, 29 Mar 2013 14:38:08 -0700 (PDT) In-Reply-To: References: Date: Fri, 29 Mar 2013 22:38:08 +0100 Message-ID: Subject: Re: Apache 2.4 in a jail with Digest auth From: Spil Oss To: freebsd-apache@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: spil.oss@gmail.com List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 21:38:09 -0000 On Fri, Mar 29, 2013 at 9:36 PM, Spil Oss wrote: > Hi, > > I'm trying to upgrade my apache configurarion to 2.4 and ran into > trouble that I haven't solved yet. > > [Fri Mar 29 20:53:26.867199 2013] [auth_digest:notice] [pid 88563:tid > 679494400] AH01757: generating secret for digest authentication ... > [Fri Mar 29 20:53:26.867531 2013] [auth_digest:error] [pid 88563:tid > 679494400] (78)Function not implemented: AH01762: Failed to create > shared memory segment on file /var/run/authdigest_shm.88563 > [Fri Mar 29 20:53:26.867556 2013] [auth_digest:error] [pid 88563:tid > 679494400] (78)Function not implemented: AH01760: failed to initialize > shm - all nonce-count checking, one-time nonces, and MD5-sess > algorithm disabled > [Fri Mar 29 20:53:26.867571 2013] [:emerg] [pid 88563:tid 679494400] > AH00020: Configuration Failed, exiting > > Since setting sysvipc.allow = 1 makes the usage of a jail superfluous > "If it were set to 1, it would defeat the whole purpose of having a > jail;" [http://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html] > > I was searching for a way to get it to use any of the other available > methods but haven't found any. > 1. Documentation to change the socache provider I haven't found after > ploughing through the docs from httpd.apache.org > 2. Disable shm in apr -> no switch for shm found in configure > > Anyone have any bright ideas how to get Apache 2.4 to get to use a > different store for the nonce? > > (This is basically a duplicate of > http://lists.freebsd.org/pipermail/freebsd-ports/2013-February/081052.html > item 6 but now for the official port. > > Kind regards, > > Spil. Finally found something that I could hack... APR_HAS_SHARED_MEMORY from apr.h For now I've created an ugly kludge in work/httpd-2.4.4/modules/aaa/mod_auth_digest.c but at least I can use digest auth again! Tempted to just hack apr.h in the jail... But that would adversely affect other programs potentially. I'm sure someone can find a way to make this work in a jail in a proper way. An OPTIONS knob in the port would be very much appreciated. Only downside I found in the source is return "AuthDigestNcCheck: ERROR: nonce-count checking " "is not supported on platforms without shared-memory " "support"; So it seems I've sacrificed some security here but at least I'm not back at auth-Basic Kind regards,