Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 64772 invoked by uid 500); 16 May 2003 13:55:25 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 64652 invoked from network); 16 May 2003 13:55:24 -0000 Received: from smtp03.web.de (HELO smtp.web.de) (217.72.192.158) by daedalus.apache.org with SMTP; 16 May 2003 13:55:24 -0000 Received: from [130.149.17.4] (helo=0007951e365e) by smtp.web.de with smtp (WEB.DE 4.98 #232) id 19GfgC-0003CW-00 for users@httpd.apache.org; Fri, 16 May 2003 15:55:24 +0200 Message-ID: <001801c31bb2$cc9a2a90$0e2410ac@b3.dsh.de> From: "t-systems-fitz" To: Date: Fri, 16 May 2003 15:55:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: t-systems-fitz@web.de X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] apache with my own libraries Hello, I already tried out it, but with the same errors: WEBADMIN-USER: webadmin@xxxx /opt/apache/bin <335># ./httpsd ld.so.1: ./httpsd: fatal: libssl.so.0.9.7: open failed: No such file or directory Killed webadmin@xxxx: /opt/apache/bin <339># ls -la /opt/apache/lib/ total 14534 drwxr-xr-x 3 portal40 syent1 512 May 16 09:17 . drwxr-xr-x 15 portal40 syent1 512 May 16 09:17 .. -rw-r--r-- 1 portal40 syent1 2057220 May 16 09:17 libcrypto.a -r-xr-xr-x 1 portal40 syent1 1411580 May 16 09:17 libcrypto.so -r-xr-xr-x 1 portal40 syent1 1411580 May 16 09:17 libcrypto.so.0 -r-xr-xr-x 1 portal40 syent1 1411580 May 16 09:17 libcrypto.so.0.9.7 -rw-r--r-- 1 portal40 syent1 315064 May 16 09:17 libssl.a -r-xr-xr-x 1 portal40 syent1 245684 May 16 09:17 libssl.so -r-xr-xr-x 1 portal40 syent1 245684 May 16 09:17 libssl.so.0 -r-xr-xr-x 1 portal40 syent1 245684 May 16 09:17 libssl.so.0.9.7 drwxr-xr-x 2 portal40 syent1 512 May 16 08:38 pkgconfig webadmin@xxxx: /opt/apache/bin <339># export LD_LIBRARY_PATH=/opt/apache/lib:$LD_LIBRARY_PATH webadmin@xxxx: /opt/apache/bin <341># echo $LD_LIBRARY_PATH /opt/apache/lib:/export/oracle/V8.1.7.4/lib64:/export/oracle/V8.1.7.4/lib:/e xport/oracle/V8.1.7.4/jlib:/export/oracle/V8.1.7.4/javavm/lib64:/export/orac le/V8.1.7.4/javavm/lib:/export/oracle/V8.1.7.4/jdbc/lib:/usr/openwin/lib:/us r/dt/lib:/export/oracle/V8.1.7.4/JRE/lib:/lib:/usr/lib:/usr/local/lib:/usr/l ocal/ssl/lib:/export/oracle/V8.1.7.4/lib webadmin@xxxx /opt/apache/bin <335># ./httpsd ld.so.1: ./httpsd: fatal: libssl.so.0.9.7: open failed: No such file or directory Killed webadmin@xxxx: /opt/apache/bin <343># ls -la httpsd total 568 -rwsr-xr-x 1 root syent1 36672 May 16 12:16 httpsd under user root it works with setting LD_LIBRARY_PATH, but not under user webadmin. best regards fitz -----Original Message----- From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM] Sent: Friday, May 16, 2003 3:43 PM To: 'users@httpd.apache.org' Subject: RE: [users@httpd] apache with my own libraries That's not the way setuid works. setuid uses the currently set environment and executes the setuid object with that environment but with the owner's rights. Thus all of your environment settings as a user are transferred to httpsd when it is run and as such setting the LD_LIBRARY_PATH appropriately (before executing the setuid httpsd) will cause the httpsd to use those new settings. Example: > ls -l /opt/applocal/Foo/foo.pl -rwsr-xr-x 1 root develop 99 May 16 09:27 /opt/applocal/Foo/foo.pl foo.pl: #!/opt/applocal/gett/vendor/perl/bin/perl foreach (keys(%ENV)) { print "$_ -=> $ENV{$_}\n"; } ::end foo.pl:: > whoami a321638 > setenv CHECKENV AMISET > /opt/applocal/Foo/foo.pl ... CHECKENV -=> AMISET ... As you can see, I am not root, and my new environment variable is still seen by the setuid Foo.pl. (I just built and installed this script as a package and tested it.) Please, just try setting the LD_LIBRARY_PATH prior to trying to start httpsd and see if it works, rather than dismissing it out of hand. regards, maarten -----Original Message----- From: t-systems-fitz [mailto:t-systems-fitz@web.de] Sent: Friday, May 16, 2003 9:24 AM To: users@httpd.apache.org Subject: RE: [users@httpd] apache with my own libraries Hello, for crle can only be used by root, but I have no root rigths. best regards fitz ----- Original Message ----- From: "t-systems-fitz" To: Sent: Friday, May 16, 2003 3:14 PM Subject: RE: [users@httpd] apache with my own libraries > Hello, > > setting LD_LIBRARY_PATH doesn't work for my environment, because httpsd > would be started by users with setting the suid-bit (chown root:usergroup > httpsd, chmod u+s httpsd). So if the users sets LD_LIBRARY_PATH to the right > location, httpsd didn't start, becuase it starts as root. > But I will give a try to crle. > > best regards fitz > > > -----Original Message----- > From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM] > Sent: Friday, May 16, 2003 3:08 PM > To: 'users@httpd.apache.org' > Subject: RE: [users@httpd] apache with my own libraries > > Have you tried setting the LD_LIBRARY_PATH in apachectl? That would be the > place I'd put it if I didn't want to require other people to have it set > individually. Mind you, this won't prevent library hijacking. Anyone can > use the LD_LIBRARY_PATH environment variable to change the search path for > libraries. > An alternate choice would be to use crle to update the library search path. > Example from the man page for crle: > Example 1: Update (and display) of a new default search path > for ELF objects > example% crle -u -l /local/lib > example% crle > Configuration file [2]: /var/ld/ld.config > Default Library Path (ELF): /usr/lib:/local/lib > Trusted Directories (ELF): /usr/lib/secure (system default) > Command line: > crle -l /usr/lib:/local/lib > example% crle -u -l /usr/local/lib > example% crle > Configuration file [2]: /var/ld/ld.config > Default Library Path (ELF): /usr/lib:/local/lib:/usr/local/lib > Trusted Directories (ELF): /usr/lib/secure (system default) > Command line: > crle -l /usr/lib:/local/lib:/usr/local/lib > In this example, the default configuration file initially > did not exist, and thus the new search path /local/lib is > appended to the system default. The next update appends the > search path /usr/local/lib to those already established in > the configuration file. > > regards, > maarten > -----Original Message----- > From: t-systems-fitz [mailto:t-systems-fitz@web.de] > Sent: Friday, May 16, 2003 8:54 AM > To: users@httpd.apache.org > Subject: RE: [users@httpd] apache with my own libraries > > Hello, > this is exactly, what I did with LDFLAGS=-R/opt/apache/lib ./configure > ....But I also tried LD_RUN_PATH=/opt/apache/lib. > After compiling the same result, ldd shows the libraries, but by starting > httpsd same error in loading shared library. > btw: gcc version 2.95.3 20010315 (release) > best regards fitz > > -----Original Message----- > From: Boyle Owen [mailto:Owen.Boyle@swx.com] > Sent: Friday, May 16, 2003 2:36 PM > To: users@httpd.apache.org > Subject: RE: [users@httpd] apache with my own libraries > >-----Original Message----- > >From: t-systems-fitz [mailto:t-systems-fitz@web.de] > > > >I can't use the LD_LIBRARY_PATH because the httpsd starts with > >suid. > An alternative to LD_LIBRARY_PATH, is to use LD_RUN_PATH. If this is set > at compile time, this path will be built into the binary. The advantage > is that you don't need LD_LIBRARY_PATH any more, the disadvatage is that > the binary is less portable - it won't run on a machine with the libs in > a different place (this was the point of LD_LIBRARY_PATH in the first > place). > Some people have a strong aversion to LD_LIBRARY_PATH - > http://www.visi.com/~barr/ldpath.html > Rgds, > Owen Boyle > Disclaimer: Any disclaimer attached to this message may be ignored. > >In my > >environment the webadmins should be able to start the httpsd. > >So we use the > >suid-Bit (apache listens to a priviliged port). But if the > >webadmins sets > >LD_LIBRARY_PATH to the right path and starts httpsd, it > >doesn't work. It > >seems that the path-infos are not used by httpsd, because it > >starts with > >rootrights. I think this is normal, otherwise any user could change the > >LD_LIBRARY_PATH to his own libraries and this would have > >securityproblems. > >Do you have a solution for my problem??? > > > >best regards fitz > > > > > >-----Original Message----- > >From: Broekman, Maarten [mailto:Maarten.Broekman@FMR.COM] > >Sent: Friday, May 16, 2003 1:36 PM > >To: 'users@httpd.apache.org' > >Subject: RE: [users@httpd] apache with my own libraries > > > >Why don't you want to set your LD_LIBRARY_PATH? That's the > >standard why of > >including new library paths. Since /opt/apache/lib is not defined as a > >standard path, you need to make sure to set it for all > >applications that > >need to access the libraries there. There's no way to get any > >application > >to use a non-standard library path without including it in the > >LD_LIBRARY_PATH. > >Apache is currently compiled with the libraries in /opt/apache/lib. The > >problem is that when you start Apache, it doesn't know how to > >find those > >libraries. It just knows it wants libssl.so.0.9.7 but it can't > >find it in > >it's library path. ldd will show you which library was used to > >compile the > >binary. You need to make sure all the paths to the libraries used are a > >part of your library path in order for the binary to work > >after compilation. > >regards, > >maarten > >-----Original Message----- > >From: t-systems-fitz [mailto:t-systems-fitz@web.de] > >Sent: Friday, May 16, 2003 7:27 AM > >To: users@httpd.apache.org > >Subject: [users@httpd] apache with my own libraries > > > >Hello, > >I have problems with running apache with ssl on a solaris 2.8 > >box. I use > >apache 1.3.27, apache-ssl 1.48 and openssl 0.9.7. I absolute > >don't want to > >use the ssl-libraries of the system (openssl 0.9.6), so I > >compiled openssl > >0.9.7 with option shared and installed the libraries under > >/opt/apache/lib. > >Now I configure apache-ssl like that: > >LDFLAGS=-R/opt/apache/lib > >./configure --prefix=/opt/apache --enable-module=proxy > >--enable-module=so -- > >enable-rule=SHARED_CORE > >Unfortunately so so compiled httpsd doesn't start: > >ld.so.1: /opt/apache/bin/httpsd: fatal: libssl.so.0.9.7: open > >failed: No > >such file or directory > >But if I use ldd I can see: > >ldd /opt/apache/bin/httpsd > >libsocket.so.1 => /usr/lib/libsocket.so.1 > >libnsl.so.1 => /usr/lib/libnsl.so.1 > >libpthread.so.1 => /usr/lib/libpthread.so.1 > >libdl.so.1 => /usr/lib/libdl.so.1 > >libssl.so.0.9.7 => /opt/apache/lib/libssl.so.0.9.7 > >libcrypto.so.0.9.7 => /opt/apache/lib/libcrypto.so.0.9.7 > >libc.so.1 => /usr/lib/libc.so.1 > >libmp.so.2 => /usr/lib/libmp.so.2 > >libthread.so.1 => /usr/lib/libthread.so.1 > >/usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1 > >so ldd knows the corret path of my ss-libraries. > >I don't want to set the LD_LIBRARY_PATH (this would work) and > >I don't want > >to use and update the system-libraries (no root rights). > >How can I compile apache that it uses my own libraries in > >/opt/apache/lib > >???? > >best regards fitz > > > > > >--------------------------------------------------------------------- > >The official User-To-User support forum of the Apache HTTP > >Server Project. > >See for more info. > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > >" from the digest: users-digest-unsubscribe@httpd.apache.org > >For additional commands, e-mail: users-help@httpd.apache.org > >--------------------------------------------------------------------- > >The official User-To-User support forum of the Apache HTTP > >Server Project. > >See for more info. > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > >" from the digest: users-digest-unsubscribe@httpd.apache.org > >For additional commands, e-mail: users-help@httpd.apache.org > > > > > >--------------------------------------------------------------------- > >The official User-To-User support forum of the Apache HTTP > >Server Project. > >See for more info. > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > >For additional commands, e-mail: users-help@httpd.apache.org > > > > > Diese E-mail ist eine private und pers�nliche Kommunikation. Sie hat > keinen Bezug zur B�rsen- bzw. Gesch�ftst�tigkeit der SWX Swiss Exchange. > This e-mail is of a private and personal nature. It is not related to > the exchange or business activities of the SWX Swiss Exchange. Le > pr�sent e-mail est un message priv� et personnel, sans rapport avec > l'activit� boursi�re de la SWX Swiss Exchange > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any mistransmission. > If you receive this message in error, please notify the sender urgently > and then immediately delete the message and any copies of it from your > system. Please also immediately destroy any hardcopies of the message. > You must not, directly or indirectly, use, disclose, distribute, print, > or copy any part of this message if you are not the intended recipient. > The sender's company reserves the right to monitor all e-mail > communications through their networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be the > views of the sender's company. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org