From 826124b378306a4097f38f22d775a13d9c3e875b Mon Sep 17 00:00:00 2001 From: b1v1r Date: Tue, 25 Aug 2009 22:19:33 +0000 Subject: [PATCH] Merge 2.5.x changes to trunk. --- CHANGES | 9 +- apache2/apache2.h | 1 + apache2/apache2_config.c | 69 +- apache2/build/find_apr.m4 | 10 +- apache2/build/find_apu.m4 | 8 +- apache2/build/find_curl.m4 | 8 +- apache2/build/find_pcre.m4 | 8 +- apache2/build/find_xml.m4 | 8 +- apache2/configure | 943 ++++++++------------------ apache2/configure.in | 5 +- apache2/mod_security2_config.h.in | 3 - apache2/modsecurity.h | 6 +- apache2/msc_logging.c | 7 +- apache2/msc_multipart.c | 17 +- apache2/msc_util.c | 34 +- apache2/msc_util.h | 7 + doc/modsecurity2-apache-reference.xml | 88 ++- 17 files changed, 524 insertions(+), 707 deletions(-) diff --git a/CHANGES b/CHANGES index 99800cfb..9a6942d8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,13 @@ -12 Aug 2009 - trunk +24 Aug 2009 - trunk ------------------- + * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning + auditlog permissions (especially with mpm-itk). + + * Cleaned up SecUploadFileMode implementation. + + * Cleanup build scripts. + * Fixed crash on configuration if SecMarker is used before any rules. * Fixed SecRuleUpdateActionById so that it will work on chain starters. diff --git a/apache2/apache2.h b/apache2/apache2.h index d8d61568..264fcf44 100644 --- a/apache2/apache2.h +++ b/apache2/apache2.h @@ -103,5 +103,6 @@ char DSOLOCAL *format_error_log_message(apr_pool_t *mp, error_message *em); const DSOLOCAL char *get_response_protocol(request_rec *r); + #endif diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 67e6e995..bbb51366 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -20,6 +20,7 @@ #include "modsecurity.h" #include "msc_logging.h" +#include "msc_util.h" #include "pdf_protect.h" #include "http_log.h" @@ -69,6 +70,8 @@ void *create_directory_config(apr_pool_t *mp, char *path) { /* audit log variables */ dcfg->auditlog_flag = NOT_SET; dcfg->auditlog_type = NOT_SET; + dcfg->auditlog_dirperms = NOT_SET; + dcfg->auditlog_fileperms = NOT_SET; dcfg->auditlog_name = NOT_SET_P; dcfg->auditlog2_name = NOT_SET_P; dcfg->auditlog_fd = NOT_SET_P; @@ -388,6 +391,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child) { ? parent->auditlog_flag : child->auditlog_flag); merged->auditlog_type = (child->auditlog_type == NOT_SET ? parent->auditlog_type : child->auditlog_type); + merged->auditlog_dirperms = (child->auditlog_dirperms == NOT_SET + ? parent->auditlog_dirperms : child->auditlog_dirperms); + merged->auditlog_fileperms = (child->auditlog_fileperms == NOT_SET + ? parent->auditlog_fileperms : child->auditlog_fileperms); if (child->auditlog_fd != NOT_SET_P) { merged->auditlog_fd = child->auditlog_fd; merged->auditlog_name = child->auditlog_name; @@ -512,6 +519,8 @@ void init_directory_config(directory_config *dcfg) { /* audit log variables */ if (dcfg->auditlog_flag == NOT_SET) dcfg->auditlog_flag = 0; if (dcfg->auditlog_type == NOT_SET) dcfg->auditlog_type = AUDITLOG_SERIAL; + if (dcfg->auditlog_dirperms == NOT_SET) dcfg->auditlog_dirperms = CREATEMODE_DIR; + if (dcfg->auditlog_fileperms == NOT_SET) dcfg->auditlog_fileperms = CREATEMODE; if (dcfg->auditlog_fd == NOT_SET_P) dcfg->auditlog_fd = NULL; if (dcfg->auditlog2_fd == NOT_SET_P) dcfg->auditlog2_fd = NULL; if (dcfg->auditlog_name == NOT_SET_P) dcfg->auditlog_name = NULL; @@ -525,7 +534,7 @@ void init_directory_config(directory_config *dcfg) { if (dcfg->upload_dir == NOT_SET_P) dcfg->upload_dir = NULL; if (dcfg->upload_keep_files == NOT_SET) dcfg->upload_keep_files = KEEP_FILES_OFF; if (dcfg->upload_validates_files == NOT_SET) dcfg->upload_validates_files = 0; - if (dcfg->upload_filemode == NOT_SET) dcfg->upload_filemode = 0600; + if (dcfg->upload_filemode == NOT_SET) dcfg->upload_filemode = mode2fileperms(0600); /* Misc */ if (dcfg->data_dir == NOT_SET_P) dcfg->data_dir = NULL; @@ -1026,6 +1035,46 @@ static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg, const char *p return NULL; } +static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg, const char *p1) { + directory_config *dcfg = (directory_config *)_dcfg; + + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "default") == 0) { + dcfg->auditlog_dirperms = NOT_SET; + } + else { + long int mode = strtol(p1, NULL, 8); /* expects octal mode */ + if ((mode == LONG_MAX)||(mode == LONG_MIN)||(mode <= 0)||(mode > 07777)) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogDirMode: %s", p1); + } + + dcfg->auditlog_dirperms = mode2fileperms((mode_t)mode); + } + + return NULL; +} + +static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg, const char *p1) { + directory_config *dcfg = (directory_config *)_dcfg; + + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "default") == 0) { + dcfg->auditlog_fileperms = NOT_SET; + } + else { + long int mode = strtol(p1, NULL, 8); /* expects octal mode */ + if ((mode == LONG_MAX)||(mode == LONG_MIN)||(mode <= 0)||(mode > 07777)) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogFileMode: %s", p1); + } + + dcfg->auditlog_fileperms = mode2fileperms((mode_t)mode); + } + + return NULL; +} + static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = _dcfg; @@ -1541,7 +1590,7 @@ static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg, const char * } else { long int mode = strtol(p1, NULL, 8); /* expects octal mode */ - if ((mode == LONG_MAX)||(mode == LONG_MIN)||(mode <= 0)||(mode > 0777)) { + if ((mode == LONG_MAX)||(mode == LONG_MIN)||(mode <= 0)||(mode > 07777)) { return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecUploadFileMode: %s", p1); } @@ -1854,6 +1903,22 @@ const command_rec module_directives[] = { "path to the audit log storage area; absolute, or relative to the root of the server" ), + AP_INIT_TAKE1 ( + "SecAuditLogDirMode", + cmd_audit_log_dirmode, + NULL, + CMD_SCOPE_ANY, + "octal permissions mode for concurrent audit log directories" + ), + + AP_INIT_TAKE1 ( + "SecAuditLogFileMode", + cmd_audit_log_filemode, + NULL, + CMD_SCOPE_ANY, + "octal permissions mode for concurrent audit log files" + ), + AP_INIT_TAKE12 ( "SecCacheTransformations", cmd_cache_transformations, diff --git a/apache2/build/find_apr.m4 b/apache2/build/find_apr.m4 index c60f3147..6c2435af 100644 --- a/apache2/build/find_apr.m4 +++ b/apache2/build/find_apr.m4 @@ -26,13 +26,13 @@ AC_MSG_CHECKING([for libapr config script]) for x in ${test_paths}; do dnl # Determine if the script was specified and use it directly if test ! -d "$x" -a -e "$x"; then - APR_CONFIG="`basename $x`" - apr_path=`echo $x | sed "s/\/\?${APR_CONFIG}\$//"` + APR_CONFIG=$x + apr_path=no break fi dnl # Try known config script names/locations - for APR_CONFIG in apr-1-mt-config apr-1-config apr-mt-config apr-config; do + for APR_CONFIG in apr-1-mt-config apr-1-config apr-config-1 apr-mt-config-1 apr-mt-config apr-config; do if test -e "${x}/bin/${APR_CONFIG}"; then apr_path="${x}/bin" break @@ -49,7 +49,9 @@ for x in ${test_paths}; do done if test -n "${apr_path}"; then - APR_CONFIG="${apr_path}/${APR_CONFIG}" + if test "${apr_path}" != "no"; then + APR_CONFIG="${apr_path}/${APR_CONFIG}" + fi AC_MSG_RESULT([${APR_CONFIG}]) APR_CFLAGS="`${APR_CONFIG} --includes --cppflags --cflags`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr CFLAGS: $APR_CFLAGS); fi diff --git a/apache2/build/find_apu.m4 b/apache2/build/find_apu.m4 index 95a41b25..281d5146 100644 --- a/apache2/build/find_apu.m4 +++ b/apache2/build/find_apu.m4 @@ -27,12 +27,12 @@ for x in ${test_paths}; do dnl # Determine if the script was specified and use it directly if test ! -d "$x" -a -e "$x"; then APU_CONFIG="`basename $x`" - apu_path=`echo $x | sed "s/\/\?${APU_CONFIG}\$//"` + apu_path="no" break fi dnl # Try known config script names/locations - for APU_CONFIG in apu-1-mt-config apu-1-config apu-mt-config apu-config; do + for APU_CONFIG in apu-1-mt-config apu-1-config apu-config-1 apu-mt-config-1 apu-mt-config apu-config; do if test -e "${x}/bin/${APU_CONFIG}"; then apu_path="${x}/bin" break @@ -49,7 +49,9 @@ for x in ${test_paths}; do done if test -n "${apu_path}"; then - APU_CONFIG="${apu_path}/${APU_CONFIG}" + if test "${apu_path}" != "no"; then + APU_CONFIG="${apu_path}/${APU_CONFIG}" + fi AC_MSG_RESULT([${APU_CONFIG}]) APU_CFLAGS="`${APU_CONFIG} --includes`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi diff --git a/apache2/build/find_curl.m4 b/apache2/build/find_curl.m4 index f61c4b23..119b196c 100644 --- a/apache2/build/find_curl.m4 +++ b/apache2/build/find_curl.m4 @@ -23,8 +23,8 @@ AC_MSG_CHECKING([for libcurl config script]) for x in ${test_paths}; do dnl # Determine if the script was specified and use it directly if test ! -d "$x" -a -e "$x"; then - CURL_CONFIG="`basename $x`" - curl_path=`echo $x | sed "s/\/\?${CURL_CONFIG}\$//"` + CURL_CONFIG=$x + curl_path="no" break fi @@ -46,7 +46,9 @@ for x in ${test_paths}; do done if test -n "${curl_path}"; then - CURL_CONFIG="${curl_path}/${CURL_CONFIG}" + if test "${curl_path}" != "no"; then + CURL_CONFIG="${curl_path}/${CURL_CONFIG}" + fi AC_MSG_RESULT([${CURL_CONFIG}]) CURL_CFLAGS="`${CURL_CONFIG} --cflags`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(curl CFLAGS: $CURL_CFLAGS); fi diff --git a/apache2/build/find_pcre.m4 b/apache2/build/find_pcre.m4 index 5b9ea8b6..9241dbaf 100644 --- a/apache2/build/find_pcre.m4 +++ b/apache2/build/find_pcre.m4 @@ -29,8 +29,8 @@ fi for x in ${test_paths}; do dnl # Determine if the script was specified and use it directly if test ! -d "$x" -a -e "$x"; then - PCRE_CONFIG="`basename $x`" - pcre_path=`echo $x | sed "s/\/\?${PCRE_CONFIG}\$//"` + PCRE_CONFIG=$x + pcre_path="no" break fi @@ -54,7 +54,9 @@ done LDFLAGS=$save_LDFLAGS if test -n "${pcre_path}"; then - PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + if test "${pcre_path}" != "no"; then + PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + fi AC_MSG_RESULT([${PCRE_CONFIG}]) PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre CFLAGS: $PCRE_CFLAGS); fi diff --git a/apache2/build/find_xml.m4 b/apache2/build/find_xml.m4 index 2163d189..cd82694f 100644 --- a/apache2/build/find_xml.m4 +++ b/apache2/build/find_xml.m4 @@ -22,8 +22,8 @@ AC_MSG_CHECKING([for libxml2 config script]) for x in ${test_paths}; do dnl # Determine if the script was specified and use it directly if test ! -d "$x" -a -e "$x"; then - LIBXML2_CONFIG="`basename $x`" - libxml2_path=`echo $x | sed "s/\/\?${LIBXML2_CONFIG}\$//"` + LIBXML2_CONFIG=$x + libxml2_path="no" break fi @@ -47,7 +47,9 @@ done LDFLAGS=$save_LDFLAGS if test -n "${libxml2_path}"; then - LIBXML2_CONFIG="${libxml2_path}/${LIBXML2_CONFIG}" + if test "${libxml2_path}" != "no"; then + LIBXML2_CONFIG="${libxml2_path}/${LIBXML2_CONFIG}" + fi AC_MSG_RESULT([${LIBXML2_CONFIG}]) LIBXML2_CFLAGS="`${LIBXML2_CONFIG} --cflags`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(xml CFLAGS: $LIBXML2_CFLAGS); fi diff --git a/apache2/configure b/apache2/configure index d7e87a10..b70d0a71 100755 --- a/apache2/configure +++ b/apache2/configure @@ -691,16 +691,13 @@ INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM CPP -ac_ct_CC -CFLAGS -CC OBJEXT EXEEXT -ac_ct_CXX +ac_ct_CC CPPFLAGS LDFLAGS -CXXFLAGS -CXX +CFLAGS +CC AWK target_alias host_alias @@ -761,14 +758,11 @@ with_curl ac_precious_vars='build_alias host_alias target_alias -CXX -CXXFLAGS +CC +CFLAGS LDFLAGS LIBS CPPFLAGS -CCC -CC -CFLAGS CPP' @@ -1412,15 +1406,13 @@ Optional Packages: --with-curl=PATH Path to curl prefix or config script Some influential environment variables: - CXX C++ compiler command - CXXFLAGS C++ compiler flags + CC C compiler command + CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if you have headers in a nonstandard directory - CC C compiler command - CFLAGS C compiler flags CPP C preprocessor Use these variables to override the choices made by `configure' or to help @@ -1940,628 +1932,6 @@ fi test -n "$AWK" && break done -ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -if test -z "$CXX"; then - if test -n "$CCC"; then - CXX=$CCC - else - if test -n "$ac_tool_prefix"; then - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CXX+set}" = set; then - $as_echo_n "(cached) " >&6 -else - if test -n "$CXX"; then - ac_cv_prog_CXX="$CXX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS - -fi -fi -CXX=$ac_cv_prog_CXX -if test -n "$CXX"; then - { $as_echo "$as_me:$LINENO: result: $CXX" >&5 -$as_echo "$CXX" >&6; } -else - { $as_echo "$as_me:$LINENO: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$CXX" && break - done -fi -if test -z "$CXX"; then - ac_ct_CXX=$CXX - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_CXX"; then - ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_ac_ct_CXX="$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS - -fi -fi -ac_ct_CXX=$ac_cv_prog_ac_ct_CXX -if test -n "$ac_ct_CXX"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5 -$as_echo "$ac_ct_CXX" >&6; } -else - { $as_echo "$as_me:$LINENO: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$ac_ct_CXX" && break -done - - if test "x$ac_ct_CXX" = x; then - CXX="g++" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CXX=$ac_ct_CXX - fi -fi - - fi -fi -# Provide some information about the compiler. -$as_echo "$as_me:$LINENO: checking for C++ compiler version" >&5 -set X $ac_compile -ac_compiler=$2 -{ (ac_try="$ac_compiler --version >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler --version >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -v >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler -v >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -V >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler -V >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } - -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" -# Try to create an executable without -o first, disregard a.out. -# It will help us diagnose broken compilers, and finding out an intuition -# of exeext. -{ $as_echo "$as_me:$LINENO: checking for C++ compiler default output file name" >&5 -$as_echo_n "checking for C++ compiler default output file name... " >&6; } -ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` - -# The possible output files: -ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" - -ac_rmfiles= -for ac_file in $ac_files -do - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - * ) ac_rmfiles="$ac_rmfiles $ac_file";; - esac -done -rm -f $ac_rmfiles - -if { (ac_try="$ac_link_default" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link_default") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. -# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' -# in a Makefile. We should not override ac_cv_exeext if it was cached, -# so that the user can short-circuit this test for compilers unknown to -# Autoconf. -for ac_file in $ac_files '' -do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) - ;; - [ab].out ) - # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) - if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; - then :; else - ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - fi - # We set ac_cv_exeext here because the later test for it is not - # safe: cross compilers may not add the suffix if given an `-o' - # argument, so we may need to know it at that point already. - # Even if this section looks crufty: it has the advantage of - # actually working. - break;; - * ) - break;; - esac -done -test "$ac_cv_exeext" = no && ac_cv_exeext= - -else - ac_file='' -fi - -{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 -$as_echo "$ac_file" >&6; } -if test -z "$ac_file"; then - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: C++ compiler cannot create executables -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: C++ compiler cannot create executables -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; }; } -fi - -ac_exeext=$ac_cv_exeext - -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:$LINENO: checking whether the C++ compiler works" >&5 -$as_echo_n "checking whether the C++ compiler works... " >&6; } -# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 -# If not cross compiling, check that we can run a simple program. -if test "$cross_compiling" != yes; then - if { ac_try='./$ac_file' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot run C++ compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot run C++ compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } - fi - fi -fi -{ $as_echo "$as_me:$LINENO: result: yes" >&5 -$as_echo "yes" >&6; } - -rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out -ac_clean_files=$ac_clean_files_save -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 -$as_echo_n "checking whether we are cross compiling... " >&6; } -{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 -$as_echo "$cross_compiling" >&6; } - -{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 -$as_echo_n "checking for suffix of executables... " >&6; } -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - # If both `conftest.exe' and `conftest' are `present' (well, observable) -# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -# work properly (i.e., refer to `conftest.exe'), while it won't with -# `rm'. -for ac_file in conftest.exe conftest conftest.*; do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - break;; - * ) break;; - esac -done -else - { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } -fi - -rm -f conftest$ac_cv_exeext -{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 -$as_echo "$ac_cv_exeext" >&6; } - -rm -f conftest.$ac_ext -EXEEXT=$ac_cv_exeext -ac_exeext=$EXEEXT -{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 -$as_echo_n "checking for suffix of object files... " >&6; } -if test "${ac_cv_objext+set}" = set; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.o conftest.obj -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then - for ac_file in conftest.o conftest.obj conftest.*; do - test -f "$ac_file" || continue; - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac -done -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } -fi - -rm -f conftest.$ac_cv_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 -$as_echo "$ac_cv_objext" >&6; } -OBJEXT=$ac_cv_objext -ac_objext=$OBJEXT -{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5 -$as_echo_n "checking whether we are using the GNU C++ compiler... " >&6; } -if test "${ac_cv_cxx_compiler_gnu+set}" = set; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ -#ifndef __GNUC__ - choke me -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_compiler_gnu=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_compiler_gnu=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -ac_cv_cxx_compiler_gnu=$ac_compiler_gnu - -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5 -$as_echo "$ac_cv_cxx_compiler_gnu" >&6; } -if test $ac_compiler_gnu = yes; then - GXX=yes -else - GXX= -fi -ac_test_CXXFLAGS=${CXXFLAGS+set} -ac_save_CXXFLAGS=$CXXFLAGS -{ $as_echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5 -$as_echo_n "checking whether $CXX accepts -g... " >&6; } -if test "${ac_cv_prog_cxx_g+set}" = set; then - $as_echo_n "(cached) " >&6 -else - ac_save_cxx_werror_flag=$ac_cxx_werror_flag - ac_cxx_werror_flag=yes - ac_cv_prog_cxx_g=no - CXXFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_prog_cxx_g=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - CXXFLAGS="" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - : -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cxx_werror_flag=$ac_save_cxx_werror_flag - CXXFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_cv_prog_cxx_g=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_cxx_werror_flag=$ac_save_cxx_werror_flag -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5 -$as_echo "$ac_cv_prog_cxx_g" >&6; } -if test "$ac_test_CXXFLAGS" = set; then - CXXFLAGS=$ac_save_CXXFLAGS -elif test $ac_cv_prog_cxx_g = yes; then - if test "$GXX" = yes; then - CXXFLAGS="-g -O2" - else - CXXFLAGS="-g" - fi -else - if test "$GXX" = yes; then - CXXFLAGS="-O2" - else - CXXFLAGS= - fi -fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -2906,6 +2276,256 @@ $as_echo "$ac_try_echo") >&5 $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { (ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi + +{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +if test -z "$ac_file"; then + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C compiler cannot create executables +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; }; } +fi + +ac_exeext=$ac_cv_exeext + +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 +# If not cross compiling, check that we can run a simple program. +if test "$cross_compiling" != yes; then + if { ac_try='./$ac_file' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } + fi + fi +fi +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } +fi + +rm -f conftest$ac_cv_exeext +{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if test "${ac_cv_objext+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; }; } +fi + +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT { $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if test "${ac_cv_c_compiler_gnu+set}" = set; then @@ -4192,7 +3812,9 @@ done -for ac_header in fcntl.h limits.h stdlib.h string.h unistd.h + + +for ac_header in fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h do as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then @@ -5285,8 +4907,7 @@ esac - -for ac_func in atexit fchmod getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol +for ac_func in atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol do as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -5800,8 +5421,8 @@ fi for x in ${test_paths}; do if test ! -d "$x" -a -e "$x"; then - PCRE_CONFIG="`basename $x`" - pcre_path=`echo $x | sed "s/\/\?${PCRE_CONFIG}\$//"` + PCRE_CONFIG=$x + pcre_path="no" break fi @@ -5824,7 +5445,9 @@ done LDFLAGS=$save_LDFLAGS if test -n "${pcre_path}"; then - PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + if test "${pcre_path}" != "no"; then + PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}" + fi { $as_echo "$as_me:$LINENO: result: ${PCRE_CONFIG}" >&5 $as_echo "${PCRE_CONFIG}" >&6; } PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`" @@ -5870,12 +5493,12 @@ $as_echo_n "checking for libapr config script... " >&6; } for x in ${test_paths}; do if test ! -d "$x" -a -e "$x"; then - APR_CONFIG="`basename $x`" - apr_path=`echo $x | sed "s/\/\?${APR_CONFIG}\$//"` + APR_CONFIG=$x + apr_path=no break fi - for APR_CONFIG in apr-1-mt-config apr-1-config apr-mt-config apr-config; do + for APR_CONFIG in apr-1-mt-config apr-1-config apr-config-1 apr-mt-config-1 apr-mt-config apr-config; do if test -e "${x}/bin/${APR_CONFIG}"; then apr_path="${x}/bin" break @@ -5892,7 +5515,9 @@ for x in ${test_paths}; do done if test -n "${apr_path}"; then - APR_CONFIG="${apr_path}/${APR_CONFIG}" + if test "${apr_path}" != "no"; then + APR_CONFIG="${apr_path}/${APR_CONFIG}" + fi { $as_echo "$as_me:$LINENO: result: ${APR_CONFIG}" >&5 $as_echo "${APR_CONFIG}" >&6; } APR_CFLAGS="`${APR_CONFIG} --includes --cppflags --cflags`" @@ -5947,11 +5572,11 @@ $as_echo_n "checking for libapu config script... " >&6; } for x in ${test_paths}; do if test ! -d "$x" -a -e "$x"; then APU_CONFIG="`basename $x`" - apu_path=`echo $x | sed "s/\/\?${APU_CONFIG}\$//"` + apu_path="no" break fi - for APU_CONFIG in apu-1-mt-config apu-1-config apu-mt-config apu-config; do + for APU_CONFIG in apu-1-mt-config apu-1-config apu-config-1 apu-mt-config-1 apu-mt-config apu-config; do if test -e "${x}/bin/${APU_CONFIG}"; then apu_path="${x}/bin" break @@ -5968,7 +5593,9 @@ for x in ${test_paths}; do done if test -n "${apu_path}"; then - APU_CONFIG="${apu_path}/${APU_CONFIG}" + if test "${apu_path}" != "no"; then + APU_CONFIG="${apu_path}/${APU_CONFIG}" + fi { $as_echo "$as_me:$LINENO: result: ${APU_CONFIG}" >&5 $as_echo "${APU_CONFIG}" >&6; } APU_CFLAGS="`${APU_CONFIG} --includes`" @@ -6022,8 +5649,8 @@ $as_echo_n "checking for libxml2 config script... " >&6; } for x in ${test_paths}; do if test ! -d "$x" -a -e "$x"; then - LIBXML2_CONFIG="`basename $x`" - libxml2_path=`echo $x | sed "s/\/\?${LIBXML2_CONFIG}\$//"` + LIBXML2_CONFIG=$x + libxml2_path="no" break fi @@ -6046,7 +5673,9 @@ done LDFLAGS=$save_LDFLAGS if test -n "${libxml2_path}"; then - LIBXML2_CONFIG="${libxml2_path}/${LIBXML2_CONFIG}" + if test "${libxml2_path}" != "no"; then + LIBXML2_CONFIG="${libxml2_path}/${LIBXML2_CONFIG}" + fi { $as_echo "$as_me:$LINENO: result: ${LIBXML2_CONFIG}" >&5 $as_echo "${LIBXML2_CONFIG}" >&6; } LIBXML2_CFLAGS="`${LIBXML2_CONFIG} --cflags`" @@ -6269,8 +5898,8 @@ $as_echo_n "checking for libcurl config script... " >&6; } for x in ${test_paths}; do if test ! -d "$x" -a -e "$x"; then - CURL_CONFIG="`basename $x`" - curl_path=`echo $x | sed "s/\/\?${CURL_CONFIG}\$//"` + CURL_CONFIG=$x + curl_path="no" break fi @@ -6291,7 +5920,9 @@ for x in ${test_paths}; do done if test -n "${curl_path}"; then - CURL_CONFIG="${curl_path}/${CURL_CONFIG}" + if test "${curl_path}" != "no"; then + CURL_CONFIG="${curl_path}/${CURL_CONFIG}" + fi { $as_echo "$as_me:$LINENO: result: ${CURL_CONFIG}" >&5 $as_echo "${CURL_CONFIG}" >&6; } CURL_CFLAGS="`${CURL_CONFIG} --cflags`" diff --git a/apache2/configure.in b/apache2/configure.in index beb943cc..37241fa7 100644 --- a/apache2/configure.in +++ b/apache2/configure.in @@ -14,7 +14,6 @@ AC_CONFIG_AUX_DIR([build]) # Checks for programs. AC_PROG_AWK -AC_PROG_CXX AC_PROG_CC AC_PROG_CPP AC_PROG_INSTALL @@ -27,7 +26,7 @@ AC_PATH_PROGS(ENV_CMD, [env printenv], ) # Checks for header files. AC_HEADER_STDC -AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h]) +AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST @@ -41,7 +40,7 @@ AC_TYPE_UINT8_T # Checks for library functions. AC_FUNC_MALLOC AC_FUNC_MEMCMP -AC_CHECK_FUNCS([atexit fchmod getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol]) +AC_CHECK_FUNCS([atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol]) # Some directories MSC_BASE_DIR=`pwd` diff --git a/apache2/mod_security2_config.h.in b/apache2/mod_security2_config.h.in index e6a70445..0d2ea15d 100644 --- a/apache2/mod_security2_config.h.in +++ b/apache2/mod_security2_config.h.in @@ -3,9 +3,6 @@ /* Define to 1 if you have the `atexit' function. */ #undef HAVE_ATEXIT -/* Define to 1 if you have the `fchmod' function. */ -#undef HAVE_FCHMOD - /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index 61c301e9..489d50ad 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -392,6 +392,10 @@ struct directory_config { /* AUDITLOG_SERIAL (single file) or AUDITLOG_CONCURRENT (multiple files) */ int auditlog_type; + /* Mode for audit log directories and files */ + apr_fileperms_t auditlog_dirperms; + apr_fileperms_t auditlog_fileperms; + /* The name of the audit log file (for the old type), or the * name of the index file (for the new audit log type) */ @@ -425,7 +429,7 @@ struct directory_config { const char *upload_dir; int upload_keep_files; int upload_validates_files; - int upload_filemode; + int upload_filemode; /* int only so NOT_SET works */ /* Used only in the configuration phase. */ msre_rule *tmp_chain_starter; diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c index 4d1609bc..956f31b5 100644 --- a/apache2/msc_logging.c +++ b/apache2/msc_logging.c @@ -16,6 +16,9 @@ * directly using the email address support@breach.com. * */ +#include + +#include "mod_security2_config.h" #include "re.h" #include "msc_logging.h" #include "httpd.h" @@ -443,7 +446,7 @@ void sec_audit_logger(modsec_rec *msr) { * we could cache the time we last checked and don't check if we know * the folder is there. */ - rc = apr_dir_make_recursive(entry_basename, CREATEMODE_DIR, msr->mp); + rc = apr_dir_make_recursive(entry_basename, msr->txcfg->auditlog_dirperms, msr->mp); if (rc != APR_SUCCESS) { msr_log(msr, 1, "Audit log: Failed to create subdirectories: %s (%s)", entry_basename, get_apr_error(msr->mp, rc)); @@ -452,7 +455,7 @@ void sec_audit_logger(modsec_rec *msr) { rc = apr_file_open(&msr->new_auditlog_fd, entry_filename, APR_WRITE | APR_TRUNCATE | APR_CREATE | APR_BINARY | APR_FILE_NOCLEANUP, - CREATEMODE, msr->mp); + msr->txcfg->auditlog_fileperms, msr->mp); if (rc != APR_SUCCESS) { msr_log(msr, 1, "Audit log: Failed to create file: %s (%s)", entry_filename, get_apr_error(msr->mp, rc)); diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c index d63acf86..c87f7d1b 100644 --- a/apache2/msc_multipart.c +++ b/apache2/msc_multipart.c @@ -396,7 +396,7 @@ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) { /* construct temporary file name */ msr->mpd->mpp->tmp_file_name = apr_psprintf(msr->mp, "%s/%s-%s-file-XXXXXX", msr->txcfg->tmp_dir, current_filetime(msr->mp), msr->txid); - msr->mpd->mpp->tmp_file_fd = msc_mkstemp(msr->mpd->mpp->tmp_file_name); + msr->mpd->mpp->tmp_file_fd = msc_mkstemp_ex(msr->mpd->mpp->tmp_file_name, msr->txcfg->upload_filemode); /* do we have an opened file? */ if (msr->mpd->mpp->tmp_file_fd < 0) { @@ -409,21 +409,6 @@ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) { msr_log(msr, 4, "Multipart: Created temporary file: %s", log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name)); } - - #ifdef HAVE_FCHMOD - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Multipart: Changing file mode to %04o: %s", msr->txcfg->upload_filemode, log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name)); - } - if (fchmod(msr->mpd->mpp->tmp_file_fd, msr->txcfg->upload_filemode) < 0) { - - char errbuf[256]; - if (msr->txcfg->debuglog_level >= 3) { - msr_log(msr, 3, "Multipart: Could not change mode on \"%s\" (%d): %s", - log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name), - errno, apr_strerror(APR_FROM_OS_ERROR(errno), errbuf, 256)); - } - } - #endif } /* write the reserve first */ diff --git a/apache2/msc_util.c b/apache2/msc_util.c index 637eebbb..c7e40c66 100644 --- a/apache2/msc_util.c +++ b/apache2/msc_util.c @@ -418,17 +418,24 @@ char *current_filetime(apr_pool_t *mp) { /** * */ -int msc_mkstemp(char *template) { +int msc_mkstemp_ex(char *template, mode_t mode) { /* ENH Use apr_file_mktemp instead. */ #if !(defined(WIN32)||defined(NETWARE)) return mkstemp(template); #else if (mktemp(template) == NULL) return -1; - return open(template, O_WRONLY | O_APPEND | O_CREAT | O_BINARY, CREATEMODE_UNISTD); + return open(template, O_WRONLY | O_APPEND | O_CREAT | O_BINARY, mode); #endif } +/** + * + */ +int msc_mkstemp(char *template) { + return msc_mkstemp_ex(template, CREATEMODE_UNISTD); +} + /** * Converts the input string to lowercase (in-place). */ @@ -1351,3 +1358,26 @@ int css_decode_inplace(unsigned char *input, long int input_len) { return count; } + +/** + * Translate UNIX octal umask/mode to APR apr_fileperms_t + */ +apr_fileperms_t mode2fileperms(mode_t mode) { + apr_fileperms_t perms = 0; + + if (mode & S_IXOTH) perms |= APR_WEXECUTE; + if (mode & S_IWOTH) perms |= APR_WWRITE; + if (mode & S_IROTH) perms |= APR_WREAD; + if (mode & S_IXGRP) perms |= APR_GEXECUTE; + if (mode & S_IWGRP) perms |= APR_GWRITE; + if (mode & S_IRGRP) perms |= APR_GREAD; + if (mode & S_IXUSR) perms |= APR_UEXECUTE; + if (mode & S_IWUSR) perms |= APR_UWRITE; + if (mode & S_IRUSR) perms |= APR_UREAD; + if (mode & S_ISVTX) perms |= APR_WSTICKY; + if (mode & S_ISGID) perms |= APR_GSETID; + if (mode & S_ISUID) perms |= APR_USETID; + + return perms; +} + diff --git a/apache2/msc_util.h b/apache2/msc_util.h index f2797362..6811cff1 100644 --- a/apache2/msc_util.h +++ b/apache2/msc_util.h @@ -19,6 +19,9 @@ #ifndef _UTIL_H_ #define _UTIL_H_ +#include +#include + #include "modsecurity.h" int DSOLOCAL normalise_path_inplace(unsigned char *input, int len, int win, int *changed); @@ -53,6 +56,8 @@ char DSOLOCAL *current_logtime(apr_pool_t *mp); char DSOLOCAL *current_filetime(apr_pool_t *mp); +int DSOLOCAL msc_mkstemp_ex(char *template, mode_t mode); + int DSOLOCAL msc_mkstemp(char *template); char DSOLOCAL *strtolower_inplace(unsigned char *str); @@ -94,4 +99,6 @@ char DSOLOCAL *resolve_relative_path(apr_pool_t *pool, const char *parent_filena int DSOLOCAL css_decode_inplace(unsigned char *input, long int input_len); +apr_fileperms_t DSOLOCAL mode2fileperms(mode_t mode); + #endif diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index 4a240ef4..920a8c8d 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -6,7 +6,7 @@ Manual - Version 2.6.0-trunk (Aug 12, 2009) + Version 2.6.0-trunk (Aug 24, 2009) 2004-2009 @@ -698,6 +698,79 @@ SecAuditLogStorageDir logs/audit audit logging. +
+ <literal>SecAuditLogDirMode</literal> + + Description: Configures the mode + (permissions) of any directories created for concurrent audit logs using + an octal mode (as used in chmod). See SecAuditLogFileMode for controlling the mode + of audit log files. + + Syntax: SecAuditLogDirMode octal_mode|"default" + + Example Usage: SecAuditLogDirMode 02750 + + Processing Phase: N/A + + Scope: Any + + Version: 2.5.10 + + Dependencies/Notes: This feature is not + available on operating systems not supporting octal file modes. The + default mode (0600) only grants read/write access to the account writing + the file. If access from another account is needed (using mpm-itk is a + good example), then this directive may be required. However, use this + directive with caution to avoid exposing potentially sensitive data to + unauthorized users. Using the value "default" will revert back to the + default setting. + + + The process umask may still limit the mode if it is being more + restrictive than the mode set using this directive. + +
+ +
+ <literal>SecAuditLogFileMode</literal> + + Description: Configures the mode + (permissions) of any files created for concurrent audit logs using an + octal mode (as used in chmod). See SecAuditLogDirMode for controlling the mode of + created audit log directories. + + Syntax: SecAuditLogFileMode + octal_mode|"default" + + Example Usage: SecAuditLogFileMode 00640 + + Processing Phase: N/A + + Scope: Any + + Version: 2.5.10 + + Dependencies/Notes: This feature is not + available on operating systems not supporting octal file modes. The + default mode (0600) only grants read/write access to the account writing + the file. If access from another account is needed (using mpm-itk is a + good example), then this directive may be required. However, use this + directive with caution to avoid exposing potentially sensitive data to + unauthorized users. Using the value "default" will revert back to the + default setting. + + + The process umask may still limit the mode if it is being more + restrictive than the mode set using this directive. + +
+
<literal>SecAuditLogParts</literal> @@ -2400,7 +2473,7 @@ SecRuleUpdateActionById 12345 "t:compressWhitespace,deny,status:403,msg:'A new m <literal>SecUploadFileMode</literal> Description: Configures the mode - (permissions) of any uploaded files using an octal number (as used in + (permissions) of any uploaded files using an octal mode (as used in chmod). Syntax: + + + The process umask may still limit the mode if it is being more + restrictive than the mode set using this directive. +
@@ -4757,9 +4835,9 @@ setvar:session.suspicious=1,expirevar:session.suspicious=3600Note - Normally you will want to use phase:1 - along with initcol so that the collection is - available in all phases. + Normally you will want to use phase:1 along + with initcol so that the collection is available in + all phases. Collections are loaded into memory when the initcol action is encountered. The collection in storage will be persisted (and the