Subject: pkg/17469: various improvements and minor fixes for www/apache
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 07/03/2002 15:32:07
>Number: 17469
>Category: pkg
>Synopsis: various improvements and minor fixes for www/apache
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Jul 03 12:33:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Greg A. Woods
>Release: pkgsrc-2002/07/02
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD
>Description:
Here are various improvements and minor fixes for the www/apache
package:
1. always set a special user and group for the server.
- "nobody", as currently defined in NetBSD doesn't match the
NFS "nobody" user-id, and even if it did there's good reason to
avoid clash between the use of a non-privileged user for root on
remote NFS clients and a non-privileged user for web server
use since in the case of Apache with SUEXEC there are
potential security issues.
- "#-1" as a group-id is probably unique and unprivileged on
almost all NetBSD systems, but it conflicts with standard
the error return value of many library functions and should
never be used as a system ID#.
- setting '--server-*id' when configuring Apache causes the
default sample configuration file (httpd.conf) to have the
desired values substituted into it.
- the server has to run as a unique non-privileged user
(i.e. owns no files and can only write to world-writable
files) anyway when using the SUEXEC feature.
2. always configure with '--without-confadjust' as otherwise the
configure script does potentially messy alterations of settings
outside the scope and control of pkgsrc.
3. use variables to replace the multiple occurances of apache
and modssl version numbers spread throughout the Makefile.
4. correctly identify this package as the "Apache" HTTP server
in the COMMENT setting (there are lots of HTTP servers :-)
5. fix the CONFLICTS entry to anticpate the www/apache-ssl
package I'm about to submit
6. always configure with '--enable-module=define'. I'm not sure
this is correct or necessary, but it works and seems to have
been used in other scenarios where modssl is used.
7. don't configure with '--with-perl' unless defined(USE_PERL)
(it's really not necessary anyway as the only perl script which
is installed is sbin/apxs and though it's still installed, it's
not critical to the normal operation of the basic Apache server
-- indeed it's apparently only a build tool and is only used
when other independent dynamic load modules for Apache are
built) (this isn't ideal -- optional use of Perl should be off
by default in all packages, and optional perl scripts should not
be installed if perl's not a runtime requirement, and perhaps
there should also be a separate APACHE_USE_PERL flag too)
8. configure with --without-execstrip if STRIPFLAG is not set.
9. use localstatedir=/var/httpd even though it's apparently not
currently used in 1.3.26 (/var/run isn't appropriate -- all the
files that should explicitly be there, such as the PID file,
scoreboard, lock file, mm file, etc. are all explicilty put
there anyway)
10. enable SUEXEC by default -- why not?
>How-To-Repeat:
>Fix:
apply this patch in /usr/pkgsrc (warning line numbers in last
hunk may be out of whack):
Index: www/apache/Makefile
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/www/apache/Makefile,v
retrieving revision 1.101
diff -c -c -r1.101 Makefile
*** www/apache/Makefile 24 Jun 2002 16:26:18 -0000 1.101
--- www/apache/Makefile 3 Jul 2002 19:25:55 -0000
***************
*** 3,10 ****
# This pkg does not compile in mod_ssl, only the `mod_ssl EAPI' (a set of
# code hooks that allow mod_ssl to be compiled separately later, if desired).
! DISTNAME= apache_1.3.26
! PKGNAME= apache-1.3.26
PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= http://httpd.apache.org/dist/httpd/ \
--- 3,10 ----
# This pkg does not compile in mod_ssl, only the `mod_ssl EAPI' (a set of
# code hooks that allow mod_ssl to be compiled separately later, if desired).
! DISTNAME= apache_${VERSION_APACHE}
! PKGNAME= apache-${VERSION_APACHE}
PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= http://httpd.apache.org/dist/httpd/ \
***************
*** 19,25 ****
SITES_${NETBSD_LOGO}= http://www.netbsd.org/images/logos/
DISTFILES+= ${NETBSD_LOGO}
! MODSSL_DISTNAME= mod_ssl-2.8.10-1.3.26
MODSSL_DIST= ${MODSSL_DISTNAME}${EXTRACT_SUFX}
MODSSL_SRC= ${WRKDIR}/${MODSSL_DISTNAME}
SITES_${MODSSL_DIST}= http://www.modssl.org/source/ \
--- 19,25 ----
SITES_${NETBSD_LOGO}= http://www.netbsd.org/images/logos/
DISTFILES+= ${NETBSD_LOGO}
! MODSSL_DISTNAME= mod_ssl-${VERSION_MODSSL}-${VERSION_APACHE}
MODSSL_DIST= ${MODSSL_DISTNAME}${EXTRACT_SUFX}
MODSSL_SRC= ${WRKDIR}/${MODSSL_DISTNAME}
SITES_${MODSSL_DIST}= http://www.modssl.org/source/ \
***************
*** 29,37 ****
MAINTAINER= jlam@netbsd.org
HOMEPAGE= http://httpd.apache.org/
! COMMENT= HTTP (Web) server
! CONFLICTS= apache-*modssl-[0-9]* apache6-[0-9]*
EXTRACT_ONLY= ${DISTFILES:N*.gif}
USE_BUILDLINK_ONLY= YES
--- 29,41 ----
MAINTAINER= jlam@netbsd.org
HOMEPAGE= http://httpd.apache.org/
! COMMENT= The Apache HTTP (Web) server
! CONFLICTS= apache-*ssl-[0-9]* apache6-[0-9]*
!
! VERSION_APACHE= 1.3.26
! VERSION_MODSSL= 2.8.10
! #PKGREVISION= 0
EXTRACT_ONLY= ${DISTFILES:N*.gif}
USE_BUILDLINK_ONLY= YES
***************
*** 42,48 ****
--- 46,57 ----
--disable-module=auth_dbm
CONFIGURE_ARGS+= --enable-rule=EAPI \
--disable-module=ssl
+ CONFIGURE_ARGS+= --enable-module=define # from mod_ssl pkg.addon
+ CONFIGURE_ARGS+= --without-confadjust
+ .if defined(USE_PERL)
+ USE_PERL5= # defined
CONFIGURE_ARGS+= --with-perl=${PERL5}
+ .endif
CONFIGURE_ARGS+= --with-port=80
CONFIGURE_ENV+= OPTIM="${APACHE_CUSTOM_CFLAGS}"
CONFIGURE_ENV+= EAPI_MM="${BUILDLINK_DIR}"
***************
*** 50,69 ****
.include "../../mk/bsd.prefs.mk"
PKG_SYSCONFSUBDIR?= httpd
.if defined(APACHE_SUEXEC) && ${APACHE_SUEXEC} == YES
- APACHE_SUEXEC_USER?= www
APACHE_SUEXEC_DOCROOT?= ${PREFIX}/share/httpd/htdocs
APACHE_SUEXEC_PATH= /bin:/usr/bin:${PREFIX}/bin:/usr/local/bin
APACHE_SUEXEC_CONFIGURE_ARGS+= \
! --suexec-caller=${APACHE_SUEXEC_USER} \
--suexec-safepath='${APACHE_SUEXEC_PATH}' \
--suexec-docroot=${APACHE_SUEXEC_DOCROOT}
CONFIGURE_ARGS+= --enable-suexec \
${APACHE_SUEXEC_CONFIGURE_ARGS:M--suexec-*}
PLIST_SRC= ${PKGDIR}/PLIST.suexec
- PKG_USERS= ${APACHE_SUEXEC_USER}:nogroup::Apache\\ suEXEC\\ user
BUILD_DEFS+= APACHE_SUEXEC_CONFIGURE_ARGS
.endif
--- 59,88 ----
.include "../../mk/bsd.prefs.mk"
+ .if empty(STRIPFLAG)
+ CONFIGURE_ARGS+= --without-execstrip
+ .endif
+
PKG_SYSCONFSUBDIR?= httpd
+ APACHE_USER?= wwwsrvr
+ APACHE_GROUP?= wwwsrvr
+ BUILD_DEFS+= APACHE_USER
+ BUILD_DEFS+= APACHE_GROUP
+
+ CONFIGURE_ARGS+= --server-uid=${APACHE_USER}
+ CONFIGURE_ARGS+= --server-gid=${APACHE_GROUP}
+
.if defined(APACHE_SUEXEC) && ${APACHE_SUEXEC} == YES
APACHE_SUEXEC_DOCROOT?= ${PREFIX}/share/httpd/htdocs
APACHE_SUEXEC_PATH= /bin:/usr/bin:${PREFIX}/bin:/usr/local/bin
APACHE_SUEXEC_CONFIGURE_ARGS+= \
! --suexec-caller=${APACHE_USER} \
--suexec-safepath='${APACHE_SUEXEC_PATH}' \
--suexec-docroot=${APACHE_SUEXEC_DOCROOT}
CONFIGURE_ARGS+= --enable-suexec \
${APACHE_SUEXEC_CONFIGURE_ARGS:M--suexec-*}
PLIST_SRC= ${PKGDIR}/PLIST.suexec
BUILD_DEFS+= APACHE_SUEXEC_CONFIGURE_ARGS
.endif
***************
*** 122,128 ****
MAKE_DIRS+= ${PREFIX}/share/httpd/htdocs
OWN_DIRS= /var/log/httpd
OWN_DIRS+= /var/spool/httpd
! OWN_DIRS_PERMS+= /var/spool/httpd/proxy nobody nobody 0755
post-extract:
${CP} ${FILESDIR}/ap_include_extern.h ${WRKSRC}/src/include
--- 141,150 ----
MAKE_DIRS+= ${PREFIX}/share/httpd/htdocs
OWN_DIRS= /var/log/httpd
OWN_DIRS+= /var/spool/httpd
! OWN_DIRS_PERMS+= /var/spool/httpd/proxy ${APACHE_USER} ${APACHE_GROUP} 0755
!
! PKG_GROUPS+= ${APACHE_GROUP}
! PKG_USERS= ${APACHE_USER}:${APACHE_GROUP}::Apache\\ user
post-extract:
${CP} ${FILESDIR}/ap_include_extern.h ${WRKSRC}/src/include
Index: www/apache/files/config.layout
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/www/apache/files/config.layout,v
retrieving revision 1.4
diff -c -r1.4 config.layout
*** www/apache/files/config.layout 26 Nov 2001 07:34:06 -0000 1.4
--- www/apache/files/config.layout 1 Dec 2001 03:02:11 -0000
***************
*** 14,20 ****
manualdir: ${prefix}/share/httpd/htdocs/manual
cgidir: ${exec_prefix}/libexec/cgi-bin
includedir: ${prefix}/include/httpd
! localstatedir: /var/run
runtimedir: /var/run
logfiledir: /var/log/httpd
proxycachedir: /var/spool/httpd/proxy
--- 14,20 ----
manualdir: ${prefix}/share/httpd/htdocs/manual
cgidir: ${exec_prefix}/libexec/cgi-bin
includedir: ${prefix}/include/httpd
! localstatedir: /var/httpd
runtimedir: /var/run
logfiledir: /var/log/httpd
proxycachedir: /var/spool/httpd/proxy
Index: mk/bsd.pkg.defaults.mk
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/mk/bsd.pkg.defaults.mk,v
retrieving revision 1.68
diff -c -c -r1.68 bsd.pkg.defaults.mk
*** mk/bsd.pkg.defaults.mk 23 Jun 2002 08:46:22 -0000 1.68
--- mk/bsd.pkg.defaults.mk 28 Jun 2002 15:52:11 -0000
***************
*** 405,426 ****
# Possible: not defined, YES
# Default: not defined
! #APACHE_SUEXEC= YES
# Enable support Switch User For Exec. See
# http://www.apache.org/docs/suexec.html for more informations.
# Possible: not defined, YES
! # Default: not defined
APACHE_SUEXEC_DOCROOT?= ${LOCALBASE}/share/httpd/htdocs
# Specifies the document space in which suexec will be allowed to work.
# Possible: Any valid directory
# Default: ${LOCALBASE}/share/httpd/htdocs
! APACHE_SUEXEC_USER?= www
# Used in the apache package to specify the user allowed to execute
! # the `suexec' wrapper.
# Possible: any user name
! # Default: www
#APACHE_SUEXEC_CONFIGURE_ARGS= --suexec-uidmin=1000
# Used in the apache package to specify additional suexec options to be
--- 422,451 ----
# Possible: not defined, YES
# Default: not defined
! APACHE_SUEXEC?= YES
# Enable support Switch User For Exec. See
# http://www.apache.org/docs/suexec.html for more informations.
# Possible: not defined, YES
! # Default: YES
APACHE_SUEXEC_DOCROOT?= ${LOCALBASE}/share/httpd/htdocs
# Specifies the document space in which suexec will be allowed to work.
# Possible: Any valid directory
# Default: ${LOCALBASE}/share/httpd/htdocs
! APACHE_USER?= wwwsrvr
# Used in the apache package to specify the user allowed to execute
! # the `suexec' wrapper. Expected to be the user the httpd server
! # normally runs as. Also used by packages with CGIs.
# Possible: any user name
! # Default: wwwsrvr
!
! APACHE_GROUP?= wwwsrvr
! # Used in the apache package to specify the default group of the user
! # allowed to execute the `suexec' wrapper. Expected to be the group
! # the httpd server normally runs as. Also used by packages with CGIs.
! # Possible: any group name
! # Default: wwwsrvr
#APACHE_SUEXEC_CONFIGURE_ARGS= --suexec-uidmin=1000
# Used in the apache package to specify additional suexec options to be
>Release-Note:
>Audit-Trail:
>Unformatted: