httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "t-systems-fitz" <t-systems-f...@web.de>
Subject RE: [users@httpd] apache with my own libraries
Date Fri, 16 May 2003 13:55:24 GMT
Hello,

I already tried out it, but with the same errors:

WEBADMIN-USER:

webadmin@xxxx /opt/apache/bin <335># ./httpsd
    ld.so.1: ./httpsd: fatal: libssl.so.0.9.7: open failed: No such file or
directory
    Killed
webadmin@xxxx: /opt/apache/bin <339># ls -la /opt/apache/lib/
    total 14534
    drwxr-xr-x   3 portal40 syent1       512 May 16 09:17 .
    drwxr-xr-x  15 portal40 syent1       512 May 16 09:17 ..
    -rw-r--r--   1 portal40 syent1   2057220 May 16 09:17 libcrypto.a
    -r-xr-xr-x   1 portal40 syent1   1411580 May 16 09:17 libcrypto.so
    -r-xr-xr-x   1 portal40 syent1   1411580 May 16 09:17 libcrypto.so.0
    -r-xr-xr-x   1 portal40 syent1   1411580 May 16 09:17 libcrypto.so.0.9.7
    -rw-r--r--   1 portal40 syent1    315064 May 16 09:17 libssl.a
    -r-xr-xr-x   1 portal40 syent1    245684 May 16 09:17 libssl.so
    -r-xr-xr-x   1 portal40 syent1    245684 May 16 09:17 libssl.so.0
    -r-xr-xr-x   1 portal40 syent1    245684 May 16 09:17 libssl.so.0.9.7
    drwxr-xr-x   2 portal40 syent1       512 May 16 08:38 pkgconfig
webadmin@xxxx: /opt/apache/bin <339># export
LD_LIBRARY_PATH=/opt/apache/lib:$LD_LIBRARY_PATH
webadmin@xxxx: /opt/apache/bin <341># echo $LD_LIBRARY_PATH

/opt/apache/lib:/export/oracle/V8.1.7.4/lib64:/export/oracle/V8.1.7.4/lib:/e
xport/oracle/V8.1.7.4/jlib:/export/oracle/V8.1.7.4/javavm/lib64:/export/orac
le/V8.1.7.4/javavm/lib:/export/oracle/V8.1.7.4/jdbc/lib:/usr/openwin/lib:/us
r/dt/lib:/export/oracle/V8.1.7.4/JRE/lib:/lib:/usr/lib:/usr/local/lib:/usr/l
ocal/ssl/lib:/export/oracle/V8.1.7.4/lib
webadmin@xxxx /opt/apache/bin <335># ./httpsd
    ld.so.1: ./httpsd: fatal: libssl.so.0.9.7: open failed: No such file or
directory
    Killed
webadmin@xxxx: /opt/apache/bin <343># ls -la httpsd
total 568
-rwsr-xr-x   1 root     syent1     36672 May 16 12:16 httpsd


under user root it works with setting LD_LIBRARY_PATH, but not under user
webadmin.

best regards fitz




-----Original Message-----
From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM]
Sent: Friday, May 16, 2003 3:43 PM
To: 'users@httpd.apache.org'
Subject: RE: [users@httpd] apache with my own libraries

That's not the way setuid works. setuid uses the currently set environment
and executes the setuid object with that environment but with the owner's
rights. Thus all of your environment settings as a user are transferred to
httpsd when it is run and as such setting the LD_LIBRARY_PATH appropriately
(before executing the setuid httpsd) will cause the httpsd to use those new
settings.
Example:
> ls -l /opt/applocal/Foo/foo.pl
-rwsr-xr-x 1 root develop 99 May 16 09:27
/opt/applocal/Foo/foo.pl
foo.pl:
#!/opt/applocal/gett/vendor/perl/bin/perl
foreach (keys(%ENV)) {
print "$_ -=> $ENV{$_}\n";
}
::end foo.pl::
> whoami
a321638
> setenv CHECKENV AMISET
> /opt/applocal/Foo/foo.pl
...
CHECKENV -=> AMISET
...
As you can see, I am not root, and my new environment variable is still seen
by the setuid Foo.pl. (I just built and installed this script as a package
and tested it.)
Please, just try setting the LD_LIBRARY_PATH prior to trying to start httpsd
and see if it works, rather than dismissing it out of hand.
regards,
maarten
-----Original Message-----
From: t-systems-fitz [mailto:t-systems-fitz@web.de]
Sent: Friday, May 16, 2003 9:24 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] apache with my own libraries

Hello,
for crle can only be used by root, but I have no root rigths.
best regards fitz
----- Original Message ----- 
From: "t-systems-fitz" <t-systems-fitz@web.de>
To: <users@httpd.apache.org>
Sent: Friday, May 16, 2003 3:14 PM
Subject: RE: [users@httpd] apache with my own libraries

> Hello,
>
> setting LD_LIBRARY_PATH doesn't work for my environment, because httpsd
> would be started by users with setting the suid-bit (chown root:usergroup
> httpsd, chmod u+s httpsd). So if the users sets LD_LIBRARY_PATH to the
right
> location, httpsd didn't start, becuase it starts as root.
> But I will give a try to crle.
>
> best regards fitz
>
>
> -----Original Message-----
> From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM]
> Sent: Friday, May 16, 2003 3:08 PM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] apache with my own libraries
>
> Have you tried setting the LD_LIBRARY_PATH in apachectl? That would be the
> place I'd put it if I didn't want to require other people to have it set
> individually. Mind you, this won't prevent library hijacking. Anyone can
> use the LD_LIBRARY_PATH environment variable to change the search path for
> libraries.
> An alternate choice would be to use crle to update the library search
path.
> Example from the man page for crle:
> Example 1: Update (and display) of a new default search path
> for ELF objects
> example% crle -u -l /local/lib
> example% crle
> Configuration file [2]: /var/ld/ld.config
> Default Library Path (ELF): /usr/lib:/local/lib
> Trusted Directories (ELF): /usr/lib/secure (system default)
> Command line:
> crle -l /usr/lib:/local/lib
> example% crle -u -l /usr/local/lib
> example% crle
> Configuration file [2]: /var/ld/ld.config
> Default Library Path (ELF): /usr/lib:/local/lib:/usr/local/lib
> Trusted Directories (ELF): /usr/lib/secure (system default)
> Command line:
> crle -l /usr/lib:/local/lib:/usr/local/lib
> In this example, the default configuration file initially
> did not exist, and thus the new search path /local/lib is
> appended to the system default. The next update appends the
> search path /usr/local/lib to those already established in
> the configuration file.
>
> regards,
> maarten
> -----Original Message-----
> From: t-systems-fitz [mailto:t-systems-fitz@web.de]
> Sent: Friday, May 16, 2003 8:54 AM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] apache with my own libraries
>
> Hello,
> this is exactly, what I did with LDFLAGS=-R/opt/apache/lib ./configure
> ....But I also tried LD_RUN_PATH=/opt/apache/lib.
> After compiling the same result, ldd shows the libraries, but by starting
> httpsd same error in loading shared library.
> btw: gcc version 2.95.3 20010315 (release)
> best regards fitz
>
> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> Sent: Friday, May 16, 2003 2:36 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] apache with my own libraries
> >-----Original Message-----
> >From: t-systems-fitz [mailto:t-systems-fitz@web.de]
> >
> >I can't use the LD_LIBRARY_PATH because the httpsd starts with
> >suid.
> An alternative to LD_LIBRARY_PATH, is to use LD_RUN_PATH. If this is set
> at compile time, this path will be built into the binary. The advantage
> is that you don't need LD_LIBRARY_PATH any more, the disadvatage is that
> the binary is less portable - it won't run on a machine with the libs in
> a different place (this was the point of LD_LIBRARY_PATH in the first
> place).
> Some people have a strong aversion to LD_LIBRARY_PATH -
> http://www.visi.com/~barr/ldpath.html
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
> >In my
> >environment the webadmins should be able to start the httpsd.
> >So we use the
> >suid-Bit (apache listens to a priviliged port). But if the
> >webadmins sets
> >LD_LIBRARY_PATH to the right path and starts httpsd, it
> >doesn't work. It
> >seems that the path-infos are not used by httpsd, because it
> >starts with
> >rootrights. I think this is normal, otherwise any user could change the
> >LD_LIBRARY_PATH to his own libraries and this would have
> >securityproblems.
> >Do you have a solution for my problem???
> >
> >best regards fitz
> >
> >
> >-----Original Message-----
> >From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM]
> >Sent: Friday, May 16, 2003 1:36 PM
> >To: 'users@httpd.apache.org'
> >Subject: RE: [users@httpd] apache with my own libraries
> >
> >Why don't you want to set your LD_LIBRARY_PATH? That's the
> >standard why of
> >including new library paths. Since /opt/apache/lib is not defined as a
> >standard path, you need to make sure to set it for all
> >applications that
> >need to access the libraries there. There's no way to get any
> >application
> >to use a non-standard library path without including it in the
> >LD_LIBRARY_PATH.
> >Apache is currently compiled with the libraries in /opt/apache/lib. The
> >problem is that when you start Apache, it doesn't know how to
> >find those
> >libraries. It just knows it wants libssl.so.0.9.7 but it can't
> >find it in
> >it's library path. ldd will show you which library was used to
> >compile the
> >binary. You need to make sure all the paths to the libraries used are a
> >part of your library path in order for the binary to work
> >after compilation.
> >regards,
> >maarten
> >-----Original Message-----
> >From: t-systems-fitz [mailto:t-systems-fitz@web.de]
> >Sent: Friday, May 16, 2003 7:27 AM
> >To: users@httpd.apache.org
> >Subject: [users@httpd] apache with my own libraries
> >
> >Hello,
> >I have problems with running apache with ssl on a solaris 2.8
> >box. I use
> >apache 1.3.27, apache-ssl 1.48 and openssl 0.9.7. I absolute
> >don't want to
> >use the ssl-libraries of the system (openssl 0.9.6), so I
> >compiled openssl
> >0.9.7 with option shared and installed the libraries under
> >/opt/apache/lib.
> >Now I configure apache-ssl like that:
> >LDFLAGS=-R/opt/apache/lib
> >./configure --prefix=/opt/apache --enable-module=proxy
> >--enable-module=so --
> >enable-rule=SHARED_CORE
> >Unfortunately so so compiled httpsd doesn't start:
> >ld.so.1: /opt/apache/bin/httpsd: fatal: libssl.so.0.9.7: open
> >failed: No
> >such file or directory
> >But if I use ldd I can see:
> >ldd /opt/apache/bin/httpsd
> >libsocket.so.1 => /usr/lib/libsocket.so.1
> >libnsl.so.1 => /usr/lib/libnsl.so.1
> >libpthread.so.1 => /usr/lib/libpthread.so.1
> >libdl.so.1 => /usr/lib/libdl.so.1
> >libssl.so.0.9.7 => /opt/apache/lib/libssl.so.0.9.7
> >libcrypto.so.0.9.7 => /opt/apache/lib/libcrypto.so.0.9.7
> >libc.so.1 => /usr/lib/libc.so.1
> >libmp.so.2 => /usr/lib/libmp.so.2
> >libthread.so.1 => /usr/lib/libthread.so.1
> >/usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
> >so ldd knows the corret path of my ss-libraries.
> >I don't want to set the LD_LIBRARY_PATH (this would work) and
> >I don't want
> >to use and update the system-libraries (no root rights).
> >How can I compile apache that it uses my own libraries in
> >/opt/apache/lib
> >????
> >best regards fitz
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >" from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >" from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
> This e-mail is of a private and personal nature. It is not related to
> the exchange or business activities of the SWX Swiss Exchange. Le
> présent e-mail est un message privé et personnel, sans rapport avec
> l'activité boursière de la SWX Swiss Exchange
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message