diff options
Diffstat (limited to 'support')
-rw-r--r-- | support/SHA1/htpasswd-sha1.pl | 2 | ||||
-rw-r--r-- | support/ab.c | 159 | ||||
-rw-r--r-- | support/apxs.in | 22 | ||||
-rw-r--r-- | support/dbmmanage.in | 88 | ||||
-rw-r--r-- | support/htcacheclean.c | 75 | ||||
-rw-r--r-- | support/htdbm.c | 10 | ||||
-rw-r--r-- | support/htpasswd.c | 30 | ||||
-rw-r--r-- | support/passwd_common.c | 57 | ||||
-rw-r--r-- | support/passwd_common.h | 8 | ||||
-rw-r--r-- | support/rotatelogs.c | 43 | ||||
-rw-r--r-- | support/suexec.c | 16 |
11 files changed, 336 insertions, 174 deletions
diff --git a/support/SHA1/htpasswd-sha1.pl b/support/SHA1/htpasswd-sha1.pl index ad624d1..a9dad11 100644 --- a/support/SHA1/htpasswd-sha1.pl +++ b/support/SHA1/htpasswd-sha1.pl @@ -5,7 +5,7 @@ use strict; # on the command line and generates a username # sha1-encrytped password on the stdout. # -# Typical useage: +# Typical usage: # ./htpasswd-sha1.pl dirkx MySecret >> sha1-passwd # # This is public domain code. Do whatever you want with it. diff --git a/support/ab.c b/support/ab.c index 779ef4c..1e9dc71 100644 --- a/support/ab.c +++ b/support/ab.c @@ -18,7 +18,7 @@ ** This program is based on ZeusBench V1.0 written by Adam Twiss ** which is Copyright (c) 1996 by Zeus Technology Ltd. http://www.zeustech.net/ ** - ** This software is provided "as is" and any express or implied waranties, + ** This software is provided "as is" and any express or implied warranties, ** including but not limited to, the implied warranties of merchantability and ** fitness for a particular purpose are disclaimed. In no event shall ** Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, @@ -55,7 +55,7 @@ ** trapping of connection errors which influenced measurements. ** Contributed by Sander Temme, Early 2001 ** Version 1.3e - ** - Changed timeout behavour during write to work whilst the sockets + ** - Changed timeout behavior during write to work whilst the sockets ** are filling up and apr_write() does writes a few - but not all. ** This will potentially change results. <dirkx@webweaving.org>, April 2001 ** Version 2.0.36-dev @@ -156,16 +156,30 @@ #include "ap_config_auto.h" #endif +#include <math.h> +#if APR_HAVE_CTYPE_H +#include <ctype.h> +#endif +#if APR_HAVE_LIMITS_H +#include <limits.h> +#endif + #if defined(HAVE_OPENSSL) -#include <openssl/rsa.h> +#include <openssl/evp.h> #include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/ssl.h> #include <openssl/rand.h> +#include <openssl/opensslv.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include <openssl/core_names.h> +#endif + #define USE_SSL + #define SK_NUM(x) sk_X509_num(x) #define SK_VALUE(x,y) sk_X509_value(x,y) typedef STACK_OF(X509) X509_STACK_TYPE; @@ -178,9 +192,6 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #include <openssl/applink.c> #endif -#endif - -#if defined(USE_SSL) #if (OPENSSL_VERSION_NUMBER >= 0x00909000) #define AB_SSL_METHOD_CONST const #else @@ -197,6 +208,7 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) #define HAVE_TLSEXT #endif + #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 @@ -205,15 +217,21 @@ typedef STACK_OF(X509) X509_STACK_TYPE; #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) #endif -#endif -#include <math.h> -#if APR_HAVE_CTYPE_H -#include <ctype.h> +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#ifdef TLS1_3_VERSION +#define MAX_SSL_PROTO TLS1_3_VERSION +#else +#define MAX_SSL_PROTO TLS1_2_VERSION #endif -#if APR_HAVE_LIMITS_H -#include <limits.h> +#ifndef OPENSSL_NO_SSL3 +#define MIN_SSL_PROTO SSL3_VERSION +#else +#define MIN_SSL_PROTO TLS1_VERSION #endif +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + +#endif /* HAVE_OPENSSL */ /* ------------------- DEFINITIONS -------------------------- */ @@ -542,22 +560,33 @@ static void set_conn_state(struct connection *c, connect_state_e new_state) * */ #ifdef USE_SSL -static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + size_t len, int argi, long argl, int ret, + size_t *processed) +#else +static long ssl_print_cb(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret) +#endif { BIO *out; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + (void)len; + (void)processed; +#endif out=(BIO *)BIO_get_callback_arg(bio); if (out == NULL) return(ret); if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", - bio, argp, argi, ret, ret); + bio, argp, argi, (long)ret, (long)ret); BIO_dump(out,(char *)argp,(int)ret); } return ret; @@ -752,17 +781,29 @@ static void ssl_proceed_handshake(struct connection *c) break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t len; + char cname[80]; + if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME, + cname, sizeof(cname), &len)) { + cname[0] = '?'; + len = 1; + } + cname[len] = '\0'; +#else const char *cname = NULL; EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); cname = EC_curve_nid2nist(nid); - if (!cname) + if (!cname) { cname = OBJ_nid2sn(nid); - + if (!cname) + cname = "?"; + } +#endif apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits", - cname, - EVP_PKEY_bits(key)); + cname, EVP_PKEY_bits(key)); break; } #endif @@ -1316,7 +1357,7 @@ static void output_html_results(void) total = ap_round_ms(total); if (done > 0) { /* avoid division by zero (if 0 done) */ - printf("<tr %s><th %s colspan=4>Connnection Times (ms)</th></tr>\n", + printf("<tr %s><th %s colspan=4>Connection Times (ms)</th></tr>\n", trstring, tdstring); printf("<tr %s><th %s> </th> <th %s>min</th> <th %s>avg</th> <th %s>max</th></tr>\n", trstring, tdstring, tdstring, tdstring, tdstring); @@ -1415,7 +1456,11 @@ static void start_connect(struct connection * c) SSL_set_bio(c->ssl, bio, bio); SSL_set_connect_state(c->ssl); if (verbosity >= 4) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + BIO_set_callback_ex(bio, ssl_print_cb); +#else BIO_set_callback(bio, ssl_print_cb); +#endif BIO_set_callback_arg(bio, (void *)bio_err); } #ifdef HAVE_TLSEXT @@ -1812,11 +1857,11 @@ static void test(void) if (!use_html) { printf("Benchmarking %s ", hostname); - if (isproxy) - printf("[through %s:%d] ", proxyhost, proxyport); - printf("(be patient)%s", - (heartbeatres ? "\n" : "...")); - fflush(stdout); + if (isproxy) + printf("[through %s:%d] ", proxyhost, proxyport); + printf("(be patient)%s", + (heartbeatres ? "\n" : "...")); + fflush(stdout); } con = xcalloc(concurrency, sizeof(struct connection)); @@ -2082,14 +2127,14 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1843412 $>"); + printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1913912 $>"); printf("Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Licensed to The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("<p>\n"); - printf(" This is ApacheBench, Version %s <i><%s></i><br>\n", AP_AB_BASEREVISION, "$Revision: 1843412 $"); + printf(" This is ApacheBench, Version %s <i><%s></i><br>\n", AP_AB_BASEREVISION, "$Revision: 1913912 $"); printf(" Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n"); printf(" Licensed to The Apache Software Foundation, http://www.apache.org/<br>\n"); printf("</p>\n<p>\n"); @@ -2160,7 +2205,13 @@ static void usage(const char *progname) #endif #ifdef HAVE_TLSV1_X + +#ifdef TLS1_3_VERSION +#define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2, TLS1.3" +#else #define TLS1_X_HELP_MSG ", TLS1.1, TLS1.2" +#endif + #else #define TLS1_X_HELP_MSG "" #endif @@ -2287,23 +2338,18 @@ static apr_status_t open_postfile(const char *pfile) /* sort out command-line args and call test */ int main(int argc, const char * const argv[]) { - int l; char tmp[1024]; apr_status_t status; apr_getopt_t *opt; const char *opt_arg; char c; +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x10100000L - int max_prot = TLS1_2_VERSION; -#ifndef OPENSSL_NO_SSL3 - int min_prot = SSL3_VERSION; -#else - int min_prot = TLS1_VERSION; -#endif + int max_prot = MAX_SSL_PROTO; + int min_prot = MIN_SSL_PROTO; #endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ -#ifdef USE_SSL AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); -#endif +#endif /* USE_SSL */ /* table defaults */ tablestring = ""; @@ -2432,8 +2478,7 @@ int main(int argc, const char * const argv[]) if (apr_base64_encode_len(strlen(opt_arg)) > sizeof(tmp)) { err("Authentication credentials too long\n"); } - l = apr_base64_encode(tmp, opt_arg, strlen(opt_arg)); - tmp[l] = '\0'; + apr_base64_encode(tmp, opt_arg, strlen(opt_arg)); auth = apr_pstrcat(cntxt, auth, "Authorization: Basic ", tmp, "\r\n", NULL); @@ -2447,8 +2492,7 @@ int main(int argc, const char * const argv[]) if (apr_base64_encode_len(strlen(opt_arg)) > sizeof(tmp)) { err("Proxy credentials too long\n"); } - l = apr_base64_encode(tmp, opt_arg, strlen(opt_arg)); - tmp[l] = '\0'; + apr_base64_encode(tmp, opt_arg, strlen(opt_arg)); auth = apr_pstrcat(cntxt, auth, "Proxy-Authorization: Basic ", tmp, "\r\n", NULL); @@ -2559,12 +2603,8 @@ int main(int argc, const char * const argv[]) #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ meth = TLS_client_method(); if (strncasecmp(opt_arg, "ALL", 3) == 0) { - max_prot = TLS1_2_VERSION; -#ifndef OPENSSL_NO_SSL3 - min_prot = SSL3_VERSION; -#else - min_prot = TLS1_VERSION; -#endif + max_prot = MAX_SSL_PROTO; + min_prot = MIN_SSL_PROTO; #ifndef OPENSSL_NO_SSL3 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { max_prot = SSL3_VERSION; @@ -2576,6 +2616,11 @@ int main(int argc, const char * const argv[]) } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { max_prot = TLS1_2_VERSION; min_prot = TLS1_2_VERSION; +#ifdef TLS1_3_VERSION + } else if (strncasecmp(opt_arg, "TLS1.3", 6) == 0) { + max_prot = TLS1_3_VERSION; + min_prot = TLS1_3_VERSION; +#endif } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { max_prot = TLS1_VERSION; min_prot = TLS1_VERSION; @@ -2587,7 +2632,7 @@ int main(int argc, const char * const argv[]) tls_use_sni = 0; break; #endif -#endif +#endif /* USE_SSL */ } } @@ -2653,13 +2698,23 @@ int main(int argc, const char * const argv[]) /* Keep memory usage as low as possible */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); #endif + if (ssl_cipher != NULL) { - if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) { - fprintf(stderr, "error setting cipher list [%s]\n", ssl_cipher); - ERR_print_errors_fp(stderr); - exit(1); - } + int ok; +#if OPENSSL_VERSION_NUMBER >= 0x10101000L && defined(TLS1_3_VERSION) + if (min_prot >= TLS1_3_VERSION) + ok = SSL_CTX_set_ciphersuites(ssl_ctx, ssl_cipher); + else +#endif + ok = SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher); + if (!ok) { + BIO_printf(bio_err, "error setting ciphersuite list [%s]\n", + ssl_cipher); + ERR_print_errors(bio_err); + exit(1); + } } + if (verbosity >= 3) { SSL_CTX_set_info_callback(ssl_ctx, ssl_state_cb); } diff --git a/support/apxs.in b/support/apxs.in index ad1287f..b2705fa 100644 --- a/support/apxs.in +++ b/support/apxs.in @@ -23,10 +23,20 @@ package apxs; ## Configuration ## +# are we building in a cross compile environment? If so, destdir contains +# the base directory of the cross compiled environment, otherwise destdir +# is the empty string. + +my $destdir = ""; +my $ddi = rindex($0, "@exp_bindir@"); +if ($ddi >= 0) { + $destdir = substr($0, 0, $ddi); +} + my %config_vars = (); my $installbuilddir = "@exp_installbuilddir@"; -get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); +get_config_vars($destdir . "$installbuilddir/config_vars.mk",\%config_vars); # read the configuration variables once @@ -41,10 +51,10 @@ my $CFG_CFLAGS = join ' ', map { get_vars($_) } qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS); my $CFG_LDFLAGS = join ' ', map { get_vars($_) } qw(LDFLAGS NOTEST_LDFLAGS SH_LDFLAGS); -my $includedir = get_vars("includedir"); +my $includedir = $destdir . get_vars("includedir"); my $CFG_INCLUDEDIR = eval qq("$includedir"); my $CFG_CC = get_vars("CC"); -my $libexecdir = get_vars("libexecdir"); +my $libexecdir = $destdir . get_vars("libexecdir"); my $CFG_LIBEXECDIR = eval qq("$libexecdir"); my $sbindir = get_vars("sbindir"); my $CFG_SBINDIR = eval qq("$sbindir"); @@ -335,7 +345,7 @@ if ($opt_q) { } } -my $apr_config = get_vars("APR_CONFIG"); +my $apr_config = $destdir . get_vars("APR_CONFIG"); if (! -x "$apr_config") { error("$apr_config not found!"); @@ -346,7 +356,7 @@ my $apr_major_version = (split /\./, `$apr_config --version`)[0]; my $apu_config = ""; if ($apr_major_version < 2) { - $apu_config = get_vars("APU_CONFIG"); + $apu_config = $destdir . get_vars("APU_CONFIG"); if (! -x "$apu_config") { error("$apu_config not found!"); @@ -501,7 +511,7 @@ if ($opt_i or $opt_e) { # use .so unambigiously for installed shared library modules $t =~ s|\.[^./\\]+$|\.so|; if ($opt_i) { - push(@cmds, "$installbuilddir/instdso.sh SH_LIBTOOL='" . + push(@cmds, $destdir . "$installbuilddir/instdso.sh SH_LIBTOOL='" . "$libtool' $f $CFG_LIBEXECDIR"); push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t"); } diff --git a/support/dbmmanage.in b/support/dbmmanage.in index 2dd8c86..881d230 100644 --- a/support/dbmmanage.in +++ b/support/dbmmanage.in @@ -32,9 +32,9 @@ sub usage { die <<SYNTAX; Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]] - where enc is -d for crypt encryption (default except on Win32, Netware) - -m for MD5 encryption (default on Win32, Netware) - -s for SHA1 encryption + where enc is -d for crypt hashing (default except on Win32, Netware) + -m for MD5 hashing (default on Win32, Netware) + -s for SHA1 hashing -p for plaintext command is one of: $cmds @@ -48,7 +48,7 @@ Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]] SYNTAX } -sub need_sha1_crypt { +sub need_sha1_hash { if (!eval ('require "Digest/SHA1.pm";')) { print STDERR <<SHAERR; dbmmanage SHA1 passwords require the interface or the module Digest::SHA1 @@ -56,21 +56,21 @@ available from CPAN: http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz -Please install Digest::SHA1 and try again, or use a different crypt option: +Please install Digest::SHA1 and try again, or use a different hashing option: SHAERR usage(); } } -sub need_md5_crypt { +sub need_md5_hash { if (!eval ('require "Crypt/PasswdMD5.pm";')) { print STDERR <<MD5ERR; dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz -Please install Crypt::PasswdMD5 and try again, or use a different crypt option: +Please install Crypt::PasswdMD5 and try again, or use a different hashing option: MD5ERR usage(); @@ -93,10 +93,10 @@ my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/; my $crypt_not_supported_platforms = join '|', qw{MSWin32 NetWare}; #others? my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/; -my $crypt_method = "crypt"; +my $hash_method = "crypt"; if ($crypt_not_supported) { - $crypt_method = "md5"; + $hash_method = "md5"; } # Some platforms won't jump through our favorite hoops @@ -105,7 +105,7 @@ my $not_unix_platforms = join '|', qw{MSWin32 NetWare}; #others? my $not_unix = $^O =~ /(?:$not_unix_platforms)/; if ($crypt_not_supported) { - $crypt_method = "md5"; + $hash_method = "md5"; } if (@ARGV[0] eq "-d") { @@ -114,12 +114,12 @@ if (@ARGV[0] eq "-d") { print STDERR "Warning: Apache/$^O does not support crypt()ed passwords!\n\n"; } - $crypt_method = "crypt"; + $hash_method = "crypt"; } if (@ARGV[0] eq "-m") { shift @ARGV; - $crypt_method = "md5"; + $hash_method = "md5"; } if (@ARGV[0] eq "-p") { @@ -128,20 +128,20 @@ if (@ARGV[0] eq "-p") { print STDERR "Warning: Apache/$^O does not support plaintext passwords!\n\n"; } - $crypt_method = "plain"; + $hash_method = "plain"; } if (@ARGV[0] eq "-s") { shift @ARGV; - need_sha1_crypt(); - $crypt_method = "sha1"; + need_sha1_hash(); + $hash_method = "sha1"; } -if ($crypt_method eq "md5") { - need_md5_crypt(); +if ($hash_method eq "md5") { + need_md5_hash(); } -my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV; +my($file,$command,$key,$hashed_pwd,$groups,$comment) = @ARGV; usage() unless $file and $command and defined &{$dbmc::{$command}}; @@ -188,7 +188,7 @@ sub saltpw_crypt { randchar(2); } -sub cryptpw_crypt { +sub hashpw_crypt { my ($pw, $salt) = @_; $salt = saltpw_crypt unless $salt; crypt $pw, $salt; @@ -199,24 +199,24 @@ sub saltpw_md5 { randchar(8); } -sub cryptpw_md5 { +sub hashpw_md5 { my($pw, $salt) = @_; $salt = saltpw_md5 unless $salt; Crypt::PasswdMD5::apache_md5_crypt($pw, $salt); } -sub cryptpw_sha1 { +sub hashpw_sha1 { my($pw, $salt) = @_; '{SHA}' . Digest::SHA1::sha1_base64($pw) . "="; } -sub cryptpw { - if ($crypt_method eq "md5") { - return cryptpw_md5(@_); - } elsif ($crypt_method eq "sha1") { - return cryptpw_sha1(@_); - } elsif ($crypt_method eq "crypt") { - return cryptpw_crypt(@_); +sub hashpw { + if ($hash_method eq "md5") { + return hashpw_md5(@_); + } elsif ($hash_method eq "sha1") { + return hashpw_sha1(@_); + } elsif ($hash_method eq "crypt") { + return hashpw_crypt(@_); } @_[0]; # otherwise return plaintext } @@ -243,10 +243,10 @@ sub getpass { sub dbmc::update { die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key}; - $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.'; + $hashed_pwd = (split /:/, $DB{$key}, 3)[0] if $hashed_pwd eq '.'; $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.'; $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.'; - if (!$crypted_pwd || $crypted_pwd eq '-') { + if (!$hashed_pwd || $hashed_pwd eq '-') { dbmc->adduser; } else { @@ -255,23 +255,23 @@ sub dbmc::update { } sub dbmc::add { - die "Can't use empty password!\n" unless $crypted_pwd; + die "Can't use empty password!\n" unless $hashed_pwd; unless($is_update) { die "Sorry, user `$key' already exists!\n" if $DB{$key}; } $groups = '' if $groups eq '-'; $comment = '' if $comment eq '-'; $groups .= ":" . $comment if $comment; - $crypted_pwd .= ":" . $groups if $groups; - $DB{$key} = $crypted_pwd; + $hashed_pwd .= ":" . $groups if $groups; + $DB{$key} = $hashed_pwd; my $action = $is_update ? "updated" : "added"; - print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n"; + print "User $key $action with password hashed to $DB{$key} using $hash_method\n"; } sub dbmc::adduser { my $value = getpass "New password:"; die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value; - $crypted_pwd = cryptpw $value; + $hashed_pwd = hashpw $value; dbmc->add; } @@ -289,23 +289,23 @@ sub dbmc::check { my $chkpass = (split /:/, $DB{$key}, 3)[0]; my $testpass = getpass(); if (substr($chkpass, 0, 6) eq '$apr1$') { - need_md5_crypt; - $crypt_method = "md5"; + need_md5_hash; + $hash_method = "md5"; } elsif (substr($chkpass, 0, 5) eq '{SHA}') { - need_sha1_crypt; - $crypt_method = "sha1"; + need_sha1_hash; + $hash_method = "sha1"; } elsif (length($chkpass) == 13 && $chkpass ne $testpass) { - $crypt_method = "crypt"; + $hash_method = "crypt"; } else { - $crypt_method = "plain"; + $hash_method = "plain"; } - print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass - ? " password ok\n" : " password mismatch\n"); + print $hash_method . (hashpw($testpass, $chkpass) eq $chkpass + ? " password ok\n" : " password mismatch\n"); } sub dbmc::import { while(defined($_ = <STDIN>) and chomp) { - ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4; + ($key,$hashed_pwd,$groups,$comment) = split /:/, $_, 4; dbmc->add; } } diff --git a/support/htcacheclean.c b/support/htcacheclean.c index 8692377..57c5c5b 100644 --- a/support/htcacheclean.c +++ b/support/htcacheclean.c @@ -110,7 +110,7 @@ static apr_file_t *errfile; /* stderr file handle */ static apr_file_t *outfile; /* stdout file handle */ static apr_off_t unsolicited; /* file size summary for deleted unsolicited files */ -static APR_RING_ENTRY(_entry) root; /* ENTRY ring anchor */ +static ENTRY root; /* ENTRY ring anchor */ /* short program name as called */ static const char *shortname = "htcacheclean"; @@ -253,7 +253,8 @@ static void printstats(char *path, struct stats *s) /** * Round the value up to the given threshold. */ -static apr_size_t round_up(apr_size_t val, apr_off_t round) { +static apr_size_t round_up(apr_size_t val, apr_off_t round) +{ if (round > 1) { return (apr_size_t)(((val + round - 1) / round) * round); } @@ -557,8 +558,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) } } } - - break; } } } @@ -604,13 +603,12 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) apr_size_t len; apr_time_t current, deviation; char *nextpath, *base, *ext; - APR_RING_ENTRY(_direntry) anchor; - DIRENTRY *d, *t, *n; + DIRENTRY *d, *t, *n, anchor; ENTRY *e; int skip, retries; disk_cache_info_t disk_info; - APR_RING_INIT(&anchor, _direntry, link); + APR_RING_INIT(&anchor.link, _direntry, link); apr_pool_create(&p, pool); h = apr_hash_make(p); fd = NULL; @@ -626,7 +624,7 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) } d = apr_pcalloc(p, sizeof(DIRENTRY)); d->basename = apr_pstrcat(p, path, "/", info.name, NULL); - APR_RING_INSERT_TAIL(&anchor, d, _direntry, link); + APR_RING_INSERT_TAIL(&anchor.link, d, _direntry, link); (*nodes)++; } @@ -638,8 +636,8 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) skip = baselen + 1; - for (d = APR_RING_FIRST(&anchor); - !interrupted && d != APR_RING_SENTINEL(&anchor, _direntry, link); + for (d = APR_RING_FIRST(&anchor.link); + !interrupted && d != APR_RING_SENTINEL(&anchor.link, _direntry, link); d=n) { n = APR_RING_NEXT(d, link); base = strrchr(d->basename, '/'); @@ -684,9 +682,19 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) } if (info.filetype == APR_DIR) { + char *dirpath = apr_pstrdup(p, d->basename); + if (process_dir(d->basename, pool, nodes)) { return 1; } + /* When given the -t option htcacheclean does not + * delete directories that are already empty, so we'll do that here + * since process_dir checks all the directories. + * If it fails, it likely means there was something else there. + */ + if (deldirs && !dryrun) { + apr_dir_remove(dirpath, p); + } continue; } @@ -774,7 +782,7 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) &len) == APR_SUCCESS) { apr_file_close(fd); e = apr_palloc(pool, sizeof(ENTRY)); - APR_RING_INSERT_TAIL(&root, e, _entry, link); + APR_RING_INSERT_TAIL(&root.link, e, _entry, link); e->expire = disk_info.expire; e->response_time = disk_info.response_time; e->htime = d->htime; @@ -890,7 +898,7 @@ static int process_dir(char *path, apr_pool_t *pool, apr_off_t *nodes) &len) == APR_SUCCESS) { apr_file_close(fd); e = apr_palloc(pool, sizeof(ENTRY)); - APR_RING_INSERT_TAIL(&root, e, _entry, link); + APR_RING_INSERT_TAIL(&root.link, e, _entry, link); e->expire = disk_info.expire; e->response_time = disk_info.response_time; e->htime = d->htime; @@ -977,8 +985,8 @@ static void purge(char *path, apr_pool_t *pool, apr_off_t max, s.inodes = inodes; s.ntotal = nodes; - for (e = APR_RING_FIRST(&root); - e != APR_RING_SENTINEL(&root, _entry, link); + for (e = APR_RING_FIRST(&root.link); + e != APR_RING_SENTINEL(&root.link, _entry, link); e = APR_RING_NEXT(e, link)) { s.sum += round_up((apr_size_t)e->hsize, round); s.sum += round_up((apr_size_t)e->dsize, round); @@ -997,8 +1005,8 @@ static void purge(char *path, apr_pool_t *pool, apr_off_t max, * happen if a wrong system time is corrected */ - for (e = APR_RING_FIRST(&root); - e != APR_RING_SENTINEL(&root, _entry, link) && !interrupted;) { + for (e = APR_RING_FIRST(&root.link); + e != APR_RING_SENTINEL(&root.link, _entry, link) && !interrupted;) { n = APR_RING_NEXT(e, link); if (e->response_time > now || e->htime > now || e->dtime > now) { delete_entry(path, e->basename, &s.nodes, pool); @@ -1021,9 +1029,9 @@ static void purge(char *path, apr_pool_t *pool, apr_off_t max, return; } - /* process all entries with are expired */ - for (e = APR_RING_FIRST(&root); - e != APR_RING_SENTINEL(&root, _entry, link) && !interrupted;) { + /* process all entries which are expired */ + for (e = APR_RING_FIRST(&root.link); + e != APR_RING_SENTINEL(&root.link, _entry, link) && !interrupted;) { n = APR_RING_NEXT(e, link); if (e->expire != APR_DATE_BAD && e->expire < now) { delete_entry(path, e->basename, &s.nodes, pool); @@ -1052,11 +1060,11 @@ static void purge(char *path, apr_pool_t *pool, apr_off_t max, * than sorry */ while (!((!s.max || s.sum <= s.max) && (!s.inodes || s.nodes <= s.inodes)) - && !interrupted && !APR_RING_EMPTY(&root, _entry, link)) { - oldest = APR_RING_FIRST(&root); + && !interrupted && !APR_RING_EMPTY(&root.link, _entry, link)) { + oldest = APR_RING_FIRST(&root.link); for (e = APR_RING_NEXT(oldest, link); - e != APR_RING_SENTINEL(&root, _entry, link); + e != APR_RING_SENTINEL(&root.link, _entry, link); e = APR_RING_NEXT(e, link)) { if (e->dtime < oldest->dtime) { oldest = e; @@ -1274,8 +1282,8 @@ static void usage(const char *error) } apr_file_printf(errfile, "%s -- program for cleaning the disk cache." NL - "Usage: %s [-Dvtrn] -pPATH [-lLIMIT|-LLIMIT] [-PPIDFILE]" NL - " %s [-nti] -dINTERVAL -pPATH [-lLIMIT|-LLIMIT] [-PPIDFILE]" NL + "Usage: %s [-Dvtrn] -pPATH [-lLIMIT] [-LLIMIT] [-PPIDFILE]" NL + " %s [-nti] -dINTERVAL -pPATH [-lLIMIT] [-LLIMIT] [-PPIDFILE]" NL " %s [-Dvt] -pPATH URL ..." NL NL "Options:" NL @@ -1309,10 +1317,12 @@ static void usage(const char *error) NL " -R Specify amount to round sizes up to." NL NL - " -l Specify LIMIT as the total disk cache size limit. Attach 'K'" NL - " or 'M' to the number for specifying KBytes or MBytes." NL + " -l Specify LIMIT as the total disk cache size limit. Attach 'K'," NL + " 'M' or 'G' to the number for specifying KBytes, MBytes or" NL + " GBytes." NL NL - " -L Specify LIMIT as the total disk cache inode limit." NL + " -L Specify LIMIT as the total disk cache inode limit. 'K', 'M' or" NL + " 'G' suffix can also be used." NL NL " -i Be intelligent and run only when there was a modification of" NL " the disk cache. This option is only possible together with the" NL @@ -1342,7 +1352,8 @@ static void usage(const char *error) } #undef NL -static void usage_repeated_arg(apr_pool_t *pool, char option) { +static void usage_repeated_arg(apr_pool_t *pool, char option) +{ usage(apr_psprintf(pool, "The option '%c' cannot be specified more than once", option)); @@ -1516,7 +1527,7 @@ int main(int argc, const char * const argv[]) usage(apr_psprintf(pool, "Invalid limit: %s" APR_EOL_STR APR_EOL_STR, arg)); } - } while(0); + } while (0); break; case 'L': @@ -1546,7 +1557,7 @@ int main(int argc, const char * const argv[]) usage(apr_psprintf(pool, "Invalid limit: %s" APR_EOL_STR APR_EOL_STR, arg)); } - } while(0); + } while (0); break; case 'a': @@ -1625,7 +1636,7 @@ int main(int argc, const char * const argv[]) usage("Option -i cannot be used with URL arguments, aborting"); } if (limit_found) { - usage("Option -l cannot be used with URL arguments, aborting"); + usage("Option -l and -L cannot be used with URL arguments, aborting"); } while (o->ind < argc) { status = delete_url(pool, proxypath, argv[o->ind]); @@ -1704,7 +1715,7 @@ int main(int argc, const char * const argv[]) apr_pool_create(&instance, pool); now = apr_time_now(); - APR_RING_INIT(&root, _entry, link); + APR_RING_INIT(&root.link, _entry, link); delcount = 0; unsolicited = 0; dowork = 0; diff --git a/support/htdbm.c b/support/htdbm.c index 40a3d23..c2f8f3f 100644 --- a/support/htdbm.c +++ b/support/htdbm.c @@ -290,13 +290,13 @@ static void htdbm_usage(void) " -n Don't update database; display results on stdout.\n" " -b Use the password from the command line rather than prompting for it.\n" " -i Read password from stdin without verification (for script usage).\n" - " -m Force MD5 encryption of the password (default).\n" - " -B Force BCRYPT encryption of the password (very secure).\n" + " -m Force MD5 hashing of the password (default).\n" + " -B Force BCRYPT hashing of the password (very secure).\n" " -C Set the computing time used for the bcrypt algorithm\n" " (higher is more secure but slower, default: %d, valid: 4 to 31).\n" - " -d Force CRYPT encryption of the password (8 chars max, insecure).\n" - " -s Force SHA encryption of the password (insecure).\n" - " -p Do not encrypt the password (plaintext, insecure).\n" + " -d Force CRYPT hashing of the password (8 chars max, insecure).\n" + " -s Force SHA hashing of the password (insecure).\n" + " -p Do not hash the password (plaintext, insecure).\n" " -T DBM Type (SDBM|GDBM|DB|default).\n" " -l Display usernames from database on stdout.\n" " -v Verify the username/password.\n" diff --git a/support/htpasswd.c b/support/htpasswd.c index 660a27c..c576532 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -98,28 +98,32 @@ static int mkrecord(struct passwd_ctx *ctx, char *user) static void usage(void) { apr_file_printf(errfile, "Usage:" NL - "\thtpasswd [-cimBdpsDv] [-C cost] passwordfile username" NL - "\thtpasswd -b[cmBdpsDv] [-C cost] passwordfile username password" NL + "\thtpasswd [-cimB25dpsDv] [-C cost] [-r rounds] passwordfile username" NL + "\thtpasswd -b[cmB25dpsDv] [-C cost] [-r rounds] passwordfile username password" NL NL - "\thtpasswd -n[imBdps] [-C cost] username" NL - "\thtpasswd -nb[mBdps] [-C cost] username password" NL + "\thtpasswd -n[imB25dps] [-C cost] [-r rounds] username" NL + "\thtpasswd -nb[mB25dps] [-C cost] [-r rounds] username password" NL " -c Create a new file." NL " -n Don't update file; display results on stdout." NL " -b Use the password from the command line rather than prompting " "for it." NL " -i Read password from stdin without verification (for script usage)." NL - " -m Force MD5 encryption of the password (default)." NL - " -B Force bcrypt encryption of the password (very secure)." NL + " -m Force MD5 hashing of the password (default)." NL + " -2 Force SHA-256 hashing of the password (secure)." NL + " -5 Force SHA-512 hashing of the password (secure)." NL + " -B Force bcrypt hashing of the password (very secure)." NL " -C Set the computing time used for the bcrypt algorithm" NL - " (higher is more secure but slower, default: %d, valid: 4 to 31)." NL - " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL - " -s Force SHA encryption of the password (insecure)." NL - " -p Do not encrypt the password (plaintext, insecure)." NL + " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL + " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL + " (higher is more secure but slower, default: 5000)." NL + " -d Force CRYPT hashing of the password (8 chars max, insecure)." NL + " -s Force SHA-1 hashing of the password (insecure)." NL + " -p Do not hash the password (plaintext, insecure)." NL " -D Delete the specified user." NL " -v Verify password for the specified user." NL "On other systems than Windows and NetWare the '-p' flag will " "probably not work." NL - "The SHA algorithm does not use a salt and is less secure than the " + "The SHA-1 algorithm does not use a salt and is less secure than the " "MD5 algorithm." NL, BCRYPT_DEFAULT_COST ); @@ -178,7 +182,7 @@ static void check_args(int argc, const char *const argv[], if (rv != APR_SUCCESS) exit(ERR_SYNTAX); - while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { + while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { switch (opt) { case 'c': *mask |= APHTP_NEWFILE; @@ -351,7 +355,7 @@ int main(int argc, const char * const argv[]) } else { /* - * Error out if -c was omitted for this non-existant file. + * Error out if -c was omitted for this non-existent file. */ if (!(mask & APHTP_NEWFILE)) { apr_file_printf(errfile, diff --git a/support/passwd_common.c b/support/passwd_common.c index 664e509..62e4843 100644 --- a/support/passwd_common.c +++ b/support/passwd_common.c @@ -179,16 +179,21 @@ err_too_long: int mkhash(struct passwd_ctx *ctx) { char *pw; - char salt[16]; + char salt[17]; apr_status_t rv; int ret = 0; #if CRYPT_ALGO_SUPPORTED char *cbuf; #endif +#ifdef HAVE_CRYPT_SHA2 + const char *setting; + char method; +#endif - if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { + if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT + && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { apr_file_printf(errfile, - "Warning: Ignoring -C argument for this algorithm." NL); + "Warning: Ignoring -C/-r argument for this algorithm." NL); } if (ctx->passwd == NULL) { @@ -246,6 +251,34 @@ int mkhash(struct passwd_ctx *ctx) break; #endif /* CRYPT_ALGO_SUPPORTED */ +#ifdef HAVE_CRYPT_SHA2 + case ALG_CRYPT_SHA256: + case ALG_CRYPT_SHA512: + ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); + if (ret != 0) + break; + + method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; + + if (ctx->cost) + setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", + method, ctx->cost, salt); + else + setting = apr_psprintf(ctx->pool, "$%c$%s", + method, salt); + + cbuf = crypt(pw, setting); + if (cbuf == NULL) { + rv = APR_FROM_OS_ERROR(errno); + ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); + ret = ERR_PWMISMATCH; + break; + } + + apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); + break; +#endif /* HAVE_CRYPT_SHA2 */ + #if BCRYPT_ALGO_SUPPORTED case ALG_BCRYPT: rv = apr_generate_random_bytes((unsigned char*)salt, 16); @@ -294,6 +327,19 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, case 's': ctx->alg = ALG_APSHA; break; +#ifdef HAVE_CRYPT_SHA2 + case '2': + ctx->alg = ALG_CRYPT_SHA256; + break; + case '5': + ctx->alg = ALG_CRYPT_SHA512; + break; +#else + case '2': + case '5': + ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; + return ERR_ALG_NOT_SUPP; +#endif case 'p': ctx->alg = ALG_PLAIN; #if !PLAIN_ALGO_SUPPORTED @@ -324,11 +370,12 @@ int parse_common_options(struct passwd_ctx *ctx, char opt, return ERR_ALG_NOT_SUPP; #endif break; - case 'C': { + case 'C': + case 'r': { char *endptr; long num = strtol(opt_arg, &endptr, 10); if (*endptr != '\0' || num <= 0) { - ctx->errstr = "argument to -C must be a positive integer"; + ctx->errstr = "argument to -C/-r must be a positive integer"; return ERR_SYNTAX; } ctx->cost = num; diff --git a/support/passwd_common.h b/support/passwd_common.h index 660081e..874c5e7 100644 --- a/support/passwd_common.h +++ b/support/passwd_common.h @@ -28,6 +28,10 @@ #include "apu_version.h" #endif +#if !defined(WIN32) && !defined(NETWARE) +#include "ap_config_auto.h" +#endif + #define MAX_STRING_LEN 256 #define ALG_PLAIN 0 @@ -35,6 +39,8 @@ #define ALG_APMD5 2 #define ALG_APSHA 3 #define ALG_BCRYPT 4 +#define ALG_CRYPT_SHA256 5 +#define ALG_CRYPT_SHA512 6 #define BCRYPT_DEFAULT_COST 5 @@ -84,7 +90,7 @@ struct passwd_ctx { apr_size_t out_len; char *passwd; int alg; - int cost; + int cost; /* cost for bcrypt, rounds for SHA-2 */ enum { PW_PROMPT = 0, PW_ARG, diff --git a/support/rotatelogs.c b/support/rotatelogs.c index 2526f56..e0819da 100644 --- a/support/rotatelogs.c +++ b/support/rotatelogs.c @@ -65,6 +65,7 @@ struct rotate_config { int echo; char *szLogRoot; int truncate; + int truncate_rotated_only; const char *linkfile; const char *postrotate_prog; #if APR_FILES_AS_SOCKETS @@ -109,9 +110,9 @@ static void usage(const char *argv0, const char *reason) } fprintf(stderr, #if APR_FILES_AS_SOCKETS - "Usage: %s [-v] [-l] [-L linkname] [-p prog] [-f] [-D] [-t] [-e] [-c] [-n number] <logfile> " + "Usage: %s [-vlfDtTec] [-L linkname] [-p prog] [-n number] <logfile> " #else - "Usage: %s [-v] [-l] [-L linkname] [-p prog] [-f] [-D] [-t] [-e] [-n number] <logfile> " + "Usage: %s [-vlfDtTe] [-L linkname] [-p prog] [-n number] <logfile> " #endif "{<rotation time in seconds>|<rotation size>(B|K|M|G)} " "[offset minutes from UTC]\n\n", @@ -145,6 +146,7 @@ static void usage(const char *argv0, const char *reason) " -f Force opening of log on program start.\n" " -D Create parent directories of log file.\n" " -t Truncate logfile instead of rotating, tail friendly.\n" + " -T Truncate logfiles opened for rotation, but not the initial logfile.\n" " -e Echo log to stdout for further processing.\n" #if APR_FILES_AS_SOCKETS " -c Create log even if it is empty.\n" @@ -380,6 +382,8 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) apr_status_t rv; struct logfile newlog; int thisLogNum = -1; + int oldreason = status->rotateReason; + int truncate = config->truncate; /* Retrieve local-time-adjusted-Unix-time. */ now = get_now(config, &offset); @@ -459,8 +463,17 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) if (config->verbose) { fprintf(stderr, "Opening file %s\n", newlog.name); } - rv = apr_file_open(&newlog.fd, newlog.name, APR_WRITE | APR_CREATE | APR_APPEND - | (config->truncate || (config->num_files > 0 && status->current.fd) ? APR_TRUNCATE : 0), + + if (!truncate) { + /* -n and -T truncate subsequent files only. */ + if (status->current.fd && + (config->num_files > 0 || config->truncate_rotated_only)) { + truncate = 1; + } + } + rv = apr_file_open(&newlog.fd, newlog.name, + APR_WRITE | APR_CREATE | APR_APPEND + | (truncate ? APR_TRUNCATE : 0), APR_OS_DEFAULT, newlog.pool); if (rv == APR_SUCCESS) { /* Handle post-rotate processing. */ @@ -474,6 +487,19 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) /* New log file is now 'current'. */ status->current = newlog; + + /* The first write to the initial file hasn't checked for size. + * In the normalized timestamp case and the custom strftime case with + * any reasonable accuracy, it's futile as the rotation will pick the + * same filename again. + * For -n, when not truncating, check and rotate. + */ + if (config->num_files > 0 && oldreason == ROTATE_NEW && !config->truncate) { + checkRotate(config, status); + if (status->rotateReason != ROTATE_NONE) { + doRotate(config, status); + } + } } else { char *error = apr_psprintf(newlog.pool, "%pm", &rv); @@ -506,7 +532,7 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) /* * Get a size or time param from a string. * Parameter 'last' indicates, whether the - * argument is the last commadnline argument. + * argument is the last commandline argument. * UTC offset is only allowed as a last argument * in order to make is distinguishable from the * rotation interval time. @@ -585,9 +611,9 @@ int main (int argc, const char * const argv[]) apr_pool_create(&status.pool, NULL); apr_getopt_init(&opt, status.pool, argc, argv); #if APR_FILES_AS_SOCKETS - while ((rv = apr_getopt(opt, "lL:p:fDtvecn:", &c, &opt_arg)) == APR_SUCCESS) { + while ((rv = apr_getopt(opt, "lL:p:fDtTvecn:", &c, &opt_arg)) == APR_SUCCESS) { #else - while ((rv = apr_getopt(opt, "lL:p:fDtven:", &c, &opt_arg)) == APR_SUCCESS) { + while ((rv = apr_getopt(opt, "lL:p:fDtTven:", &c, &opt_arg)) == APR_SUCCESS) { #endif switch (c) { case 'l': @@ -612,6 +638,9 @@ int main (int argc, const char * const argv[]) case 't': config.truncate = 1; break; + case 'T': + config.truncate_rotated_only = 1; + break; case 'v': config.verbose = 1; break; diff --git a/support/suexec.c b/support/suexec.c index 0b52495..c2eb0b6 100644 --- a/support/suexec.c +++ b/support/suexec.c @@ -127,15 +127,15 @@ static const char *const safe_env_lst[] = "REDIRECT_STATUS=", "REDIRECT_URL=", "REQUEST_METHOD=", - "REQUEST_URI=", "REQUEST_SCHEME=", + "REQUEST_URI=", "SCRIPT_FILENAME=", "SCRIPT_NAME=", "SCRIPT_URI=", "SCRIPT_URL=", + "SERVER_ADDR=", "SERVER_ADMIN=", "SERVER_NAME=", - "SERVER_ADDR=", "SERVER_PORT=", "SERVER_PROTOCOL=", "SERVER_SIGNATURE=", @@ -223,7 +223,6 @@ static void log_no_err(const char *fmt,...) static void clean_env(void) { - char pathbuf[512]; char **cleanenv; char **ep; int cidx = 0; @@ -245,8 +244,7 @@ static void clean_env(void) exit(123); } - sprintf(pathbuf, "PATH=%s", AP_SAFE_PATH); - cleanenv[cidx] = strdup(pathbuf); + cleanenv[cidx] = strdup("PATH=" AP_SAFE_PATH); if (cleanenv[cidx] == NULL) { log_err("failed to malloc memory for environment\n"); exit(124); @@ -504,7 +502,8 @@ int main(int argc, char *argv[]) * and setgid() to the target group. If unsuccessful, error out. */ if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { - log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd); + log_err("failed to setgid/initgroups (%lu: %s): %s\n", + (unsigned long)gid, cmd, strerror(errno)); exit(109); } @@ -512,13 +511,14 @@ int main(int argc, char *argv[]) * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { - log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); + log_err("failed to setuid (%lu: %s): %s\n", + (unsigned long)uid, cmd, strerror(errno)); exit(110); } /* * Get the current working directory, as well as the proper - * document root (dependant upon whether or not it is a + * document root (dependent upon whether or not it is a * ~userdir request). Error out if we cannot get either one, * or if the current working directory is not in the docroot. * Use chdir()s and getcwd()s to avoid problems with symlinked |