Apache 2.4 in a jail with Digest auth

Fri Mar 29 21:38:09 UTC 2013

On Fri, Mar 29, 2013 at 9:36 PM, Spil Oss <spil.oss at gmail.com> wrote:
> Hi,
>
> I'm trying to upgrade my apache configurarion to 2.4 and ran into
> trouble that I haven't solved yet.
>
> [Fri Mar 29 20:53:26.867199 2013] [auth_digest:notice] [pid 88563:tid
> 679494400] AH01757: generating secret for digest authentication ...
> [Fri Mar 29 20:53:26.867531 2013] [auth_digest:error] [pid 88563:tid
> 679494400] (78)Function not implemented: AH01762: Failed to create
> shared memory segment on file /var/run/authdigest_shm.88563
> [Fri Mar 29 20:53:26.867556 2013] [auth_digest:error] [pid 88563:tid
> 679494400] (78)Function not implemented: AH01760: failed to initialize
> shm - all nonce-count checking, one-time nonces, and MD5-sess
> algorithm disabled
> [Fri Mar 29 20:53:26.867571 2013] [:emerg] [pid 88563:tid 679494400]
> AH00020: Configuration Failed, exiting
>
> Since setting sysvipc.allow = 1 makes the usage of a jail superfluous
> "If it were set to 1, it would defeat the whole purpose of having a
> jail;" [http://www.freebsd.org/doc/en/books/arch-handbook/jail-restrictions.html]
>
> I was searching for a way to get it to use any of the other available
> methods but haven't found any.
> 1. Documentation to change the socache provider I haven't found after
> ploughing through the docs from httpd.apache.org
> 2. Disable shm in apr -> no switch for shm found in configure
>
> Anyone have any bright ideas how to get Apache 2.4 to get to use a
> different store for the nonce?
>
> (This is basically a duplicate of
> http://lists.freebsd.org/pipermail/freebsd-ports/2013-February/081052.html
> item 6 but now for the official port.
>
> Kind regards,
>
> Spil.

Finally found something that I could hack...

APR_HAS_SHARED_MEMORY from apr.h

For now I've created an ugly kludge in
work/httpd-2.4.4/modules/aaa/mod_auth_digest.c but at least I can use
digest auth again!

Tempted to just hack apr.h in the jail... But that would adversely
affect other programs potentially. I'm sure someone can find a way to
make this work in a jail in a proper way.
An OPTIONS knob in the port would be very much appreciated.

Only downside I found in the source is
        return "AuthDigestNcCheck: ERROR: nonce-count checking "
                     "is not supported on platforms without shared-memory "
                     "support";
So it seems I've sacrificed some security here but at least I'm not
back at auth-Basic

Kind regards,