OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Oden Eriksson (oden.erikssonkvikkjokk.net)
Date: Mon Sep 24 2001 - 23:43:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    måndagen den 24 september 2001 18.44 skrev du:
    > On Mon Sep 24, 2001 at 10:51:18PM +0200, Oden Eriksson wrote:
    >
    > [...]
    >
    > > > What I do know is that the mod_ssl version has to match the apache
    > > > version, these two packages has to be compiled against the
    > > > 0.9.5a-3.1mdk devel package when apache has been patched with the right
    > > > EAPI patch. It is also somewhat a good idea that the latest mm is
    > > > installed too. (guess this is no news to you but...)
    > > >
    > > > I usally make this manually as suggested in the mod_ssl docs.
    > >
    > > Heys guys, I just checked the apache src rpm and it lacks the EAPI patch.
    > > And, the security patch in there just fixes rarely used (?) userspace
    > > programs (temp race fix) .
    >
    > May be rarely used, but is still a problem. The EAPI patch is (I
    > believe) a part of the SGI patches which is no longer a part of Apache
    > (SGI stopped doing their optimization patches quite a few versions
    > ago).

    No, SGI has nothing to do with EAPI, it's a hook that the mod_ssl author
    (Ralf Engelschall) has cooked up. It is needed I'm afraid, it wasn't required
    in very early versions of mod_ssl.

    > > My suggestion is that you rebuild mm (v1.13), OpenSSL, OpenSSH, Apache,
    > > and mod_ssl from the 7.2 updates SRMPS repository. Quite simple.
    >
    > Not so simple. A rebuild of openssl requires other updates. I don't
    > know what else may/may not depend on mm.

    Quick test: rpm -q --whatrequires openssl mm

    My guess is that 7.1 was before US of A relaxed their crypto export laws, and
    openssl and friends is add-ons that did not come with the CD?.

    > If you want to try this (rebuild everything from 7.2) and test it, let
    > me know how it works (if it works). The other thing is that 7.1 uses
    > /home/httpd whereas 7.2+ use /var/www. This makes a direct rebuild
    > from 7.2 not entirely compatible with what users may expect for 7.1
    > (and indeed how 7.1 used to work).

    Sorry, can't do that, I'm running latest cooker here and have no other place
    to do it except on my live internet servers (7.2 and LFS)...

    > If this is the only option, we will rework the 7.2 specs to match 7.1
    > and do what needs to be done (hopefully without requiring an openssl
    > rebuild to save us from updating openssh).

    I would suggest that you do. But it's much easier to build from the sources.
    It could come down to just three steps, something like this:

    -------------- mm -------------
    export SSL_BASE="SYSTEM"
    export CFLAGS="$MYFLAGS -DEAPI_MM_CORE_PATH=\"/var/run/mm\""
    ./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
    --with-apache=../apache_1.3.20/ \
    --mandir=/usr/share/man \
    --enable-static \
    --disable-shared &&
    make &&
    make test &&
    make install
    --------------- apache -------------
    export SSL_BASE="SYSTEM"
    export EAPI_MM="SYSTEM"
    ./configure
    --------------- mod_ssl -------------
    export SSL_BASE="SYSTEM"
    export EAPI_MM="SYSTEM"
    ./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
    --mandir=/usr/share/man \
    --with-apache=../apache_1.3.20/
    --------------- apache -------------
    export SSL_BASE="SYSTEM"
    export EAPI_MM="SYSTEM"
    export OPTIM="$MYFLAGS"
    export CFLAGS="-DDYNAMIC_MODULE_LIMIT=32 \
    -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 \
    -DBUFFERED_LOGS"
    ./configure \
    --prefix=/etc/httpd \
    --exec-prefix=/usr \
    --bindir=/usr/bin \
    --sbindir=/usr/sbin \
    --libexecdir=/usr/lib/apache \
    --mandir=/usr/share/man \
    --sysconfdir=/etc/httpd/conf \
    --datadir=/var/www \
    --iconsdir=/var/www/html/images \
    --htdocsdir=/var/www/html \
    --cgidir=/var/www/cgi-bin \
    --includedir=/usr/include/apache \
    --localstatedir=/var/run \
    --runtimedir=/var/run \
    --logfiledir=/var/log/httpd \
    --proxycachedir=/var/cache/httpd \
    --enable-rule=EAPI \
    --disable-rule=WANTHSREGEX \
    --disable-rule=EXPAT \
    --with-perl=/usr/bin/perl \
    --enable-module=most \
    --enable-module=auth_digest \
    --enable-module=userdir \
    --enable-module=define \
    --enable-module=rewrite \
    --enable-module=throttle \
    --enable-module=auth_mysql \
    --enable-module=bandwidth \
    --enable-module=layout \
    --enable-module=roaming \
    --enable-module=ssl \
    --activate-module=src/modules/php4/libphp4.a \
    --enable-module=php4 \
    --enable-module=negotiation \
    --enable-module=imap \
    --enable-module=autoindex \
    --enable-module=include \
    --enable-module=headers \
    --enable-module=auth_db \
    --disable-module=auth_dbm \
    --disable-module=auth_anon \
    --disable-module=example \
    --enable-module=status \
    --disable-module=asis \
    --disable-module=env \
    --disable-module=actions \
    --disable-module=proxy \
    --disable-module=auth_digest \
    --disable-module=cern_meta \
    --enable-module=info \
    --disable-module=log_agent \
    --disable-module=log_referer \
    --disable-module=mmap_static \
    --disable-module=speling \
    --enable-shared=max \
    --without-execstrip \
    --server-uid=apache \
    --server-gid=apache &&
    make &&
    make install

    Good luck. 

    -- 
Regards // Oden Eriksson