Message ID | 20230914191726.28670-1-giulio.benetti@benettiengineering.com |
---|---|
State | Superseded |
Headers | show |
Series | package/apache-utils: new package | expand |
Hello Giulio, On Thu, 14 Sep 2023 21:17:26 +0200 Giulio Benetti <giulio.benetti@benettiengineering.com> wrote: > From: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> > > Build htdigest and htpasswd utilities only without building entire Apache > package. > > Cc: Jim Reinhart <jimr@tekvox.com> > Cc: James Autry <jautry@tekvox.com> > Cc: Matthew Maron <matthewm@tekvox.com> > Signed-off-by: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> Thanks for the proposal. I'm always a bit "meh" when it comes to adding a new package that uses the same source code as another package. It causes extra maintenance work (you need to update both packages, apply patches to both, keep tracking of CVEs for both, etc.). What is the use case for needing this without the Apache server? Can we change the Apache package to instead allow installing only those tools? Best regards, Thomas
Hi Thomas, On 14/09/23 21:49, Thomas Petazzoni wrote: > Hello Giulio, > > On Thu, 14 Sep 2023 21:17:26 +0200 > Giulio Benetti <giulio.benetti@benettiengineering.com> wrote: > >> From: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> >> >> Build htdigest and htpasswd utilities only without building entire Apache >> package. >> >> Cc: Jim Reinhart <jimr@tekvox.com> >> Cc: James Autry <jautry@tekvox.com> >> Cc: Matthew Maron <matthewm@tekvox.com> >> Signed-off-by: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> > > Thanks for the proposal. I'm always a bit "meh" when it comes to adding > a new package that uses the same source code as another package. It > causes extra maintenance work (you need to update both packages, apply > patches to both, keep tracking of CVEs for both, etc.). I was unsure if deal with it this way and after searching I've found packages uboot and uboot-tools. > What is the use case for needing this without the Apache server? I need htdigest to manipulate .htdigest file on target used by SWUpdate to deal with credentials. > Can we > change the Apache package to instead allow installing only those tools? Yes, I can modify by adding an option to package apache like BR2_PACKAGE_APACHE_BUILD_TOOLS_ONLY and then in apache.mk I do like: ifeq ($(BR2_PACKAGE_APACHE_BUILD_UTILS_ONLY),y) what I do in apache-utils package else what it's actually done in apache package endif This is because I can't build only htdigest and htpasswd by using standard autotools-package infrastructure and I need to make specific targets under $(@D)/support. Otherwise it will try to build(and fail) to build a part of httpd. This is what I've found so far, but maybe I can dig deeper and maybe find a long sequence of: --disable-a --disable-b etc. to use autotools infrastructure. Best regards
Giulio, Thomas, All, On 2023-09-14 22:11 +0200, Giulio Benetti spake thusly: > On 14/09/23 21:49, Thomas Petazzoni wrote: > >On Thu, 14 Sep 2023 21:17:26 +0200 > >Giulio Benetti <giulio.benetti@benettiengineering.com> wrote: > >>From: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> > >>Build htdigest and htpasswd utilities only without building entire Apache > >>package. [--SNIP--] > >Thanks for the proposal. I'm always a bit "meh" when it comes to adding > >a new package that uses the same source code as another package. It > >causes extra maintenance work (you need to update both packages, apply > >patches to both, keep tracking of CVEs for both, etc.). > I was unsure if deal with it this way and after searching I've found > packages uboot and uboot-tools. We can slightly loosen the restrictions for those special packages, like the kernel or the bootloaders. U-Boot is a bootloader, so deviation is kinda acceptable (and unavoidable). > >What is the use case for needing this without the Apache server? > I need htdigest to manipulate .htdigest file on target used by SWUpdate > to deal with credentials. ACK, valid need √ ;-) > >Can we > >change the Apache package to instead allow installing only those tools? > > Yes, I can modify by adding an option to package apache like > BR2_PACKAGE_APACHE_BUILD_TOOLS_ONLY and then in apache.mk I do like: > ifeq ($(BR2_PACKAGE_APACHE_BUILD_UTILS_ONLY),y) > what I do in apache-utils package > else > what it's actually done in apache package > endif I am not too fond of that, and it is going to be a bit more complex that that. Indeed, if building only the tools, we don't want to depend on all the optional dependencies (zlib, lua, brottli...). And introducing a whole-file ifeq-else-endif block is not much better than a duplicate package; I even find it worse, because it obfuscate the package's .mk... > This is because I can't build only htdigest and htpasswd by using > standard autotools-package infrastructure and I need to make specific > targets under $(@D)/support. Otherwise it will try to build(and fail) > to build a part of httpd. I think it would be relatively trivial to provide your own htdigest with a simple shell script: #!/bin/sh create=false if [ "${1}" = "-c" ]; then create=true shift fi passwd_file="${1}" realm="${2}" user="${3}" if create; then > "${passwd_file}" fi if ! [ -f "${passwd_file}"; then printf 'Could not open passwd file %s for reading.\n' "${passwd_file}" printf 'Use -c option to create new one.\n' exit 1 fi >&2 if grep -q "^${user}:${realm}:" "${passwd_file}"; then printf 'Changing password for user %s in realm %s\n' "${user}" "${realm}" sed -r -i -e "/^${user}:${realm}:/d" "${passwd_file}" else printf 'Adding user %s in realm %s\n' "${user}" "${realm}" fi exec 3>&1 exec >/dev/null printf 'New password: ' >&3 read -r passwd printf 'Re-type new password: ' >&3 read -r passwd2 exec >&3 exec 3>&- if [ "${passwd}" != "${passwd2}" ]; then printf "They don't match, sorry.\n" exit 1 fi >&2 hash="$( printf '%s:%s:%s' "${user}" "${realm}" "${passwd}" |md5sum )" printf "${user}:${realm}:${hash% -}" >>"${passwd_file}" Totally untested, Use at your own risk... htpasswd is quite a bit more complex, though., so if you really need it, impersonating it is not going to be easy... Bottom line: if only htdigest needed, then a script will help (not sure we'd need such a package in Buildroot, though). Otherwise, I don;t have a good idea yet... Regards, Yann E. MORIN. > This is what I've found so far, but maybe I can dig deeper and maybe > find a long sequence of: > --disable-a > --disable-b > etc. > to use autotools infrastructure. > > Best regards > -- > Giulio Benetti > CEO&CTO@Benetti Engineering sas > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Hi Yann, Thomas, All, On 16/09/23 00:17, Yann E. MORIN wrote: > Giulio, Thomas, All, > > On 2023-09-14 22:11 +0200, Giulio Benetti spake thusly: >> On 14/09/23 21:49, Thomas Petazzoni wrote: >>> On Thu, 14 Sep 2023 21:17:26 +0200 >>> Giulio Benetti <giulio.benetti@benettiengineering.com> wrote: >>>> From: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> >>>> Build htdigest and htpasswd utilities only without building entire Apache >>>> package. > [--SNIP--] >>> Thanks for the proposal. I'm always a bit "meh" when it comes to adding >>> a new package that uses the same source code as another package. It >>> causes extra maintenance work (you need to update both packages, apply >>> patches to both, keep tracking of CVEs for both, etc.). >> I was unsure if deal with it this way and after searching I've found >> packages uboot and uboot-tools. > > We can slightly loosen the restrictions for those special packages, like > the kernel or the bootloaders. U-Boot is a bootloader, so deviation is > kinda acceptable (and unavoidable). > >>> What is the use case for needing this without the Apache server? >> I need htdigest to manipulate .htdigest file on target used by SWUpdate >> to deal with credentials. > > ACK, valid need √ ;-) I've forgotten to mention that Mongoose requires it for a webpage with credentials too, > >>> Can we >>> change the Apache package to instead allow installing only those tools? >> >> Yes, I can modify by adding an option to package apache like >> BR2_PACKAGE_APACHE_BUILD_TOOLS_ONLY and then in apache.mk I do like: >> ifeq ($(BR2_PACKAGE_APACHE_BUILD_UTILS_ONLY),y) >> what I do in apache-utils package >> else >> what it's actually done in apache package >> endif > > I am not too fond of that, and it is going to be a bit more complex that > that. Indeed, if building only the tools, we don't want to depend on all > the optional dependencies (zlib, lua, brottli...). > > And introducing a whole-file ifeq-else-endif block is not much better > than a duplicate package; I even find it worse, because it obfuscate the > package's .mk... > >> This is because I can't build only htdigest and htpasswd by using >> standard autotools-package infrastructure and I need to make specific >> targets under $(@D)/support. Otherwise it will try to build(and fail) >> to build a part of httpd. > > I think it would be relatively trivial to provide your own htdigest with > a simple shell script: > > #!/bin/sh > > create=false > if [ "${1}" = "-c" ]; then > create=true > shift > fi > passwd_file="${1}" > realm="${2}" > user="${3}" > > if create; then > > "${passwd_file}" > fi > if ! [ -f "${passwd_file}"; then > printf 'Could not open passwd file %s for reading.\n' "${passwd_file}" > printf 'Use -c option to create new one.\n' > exit 1 > fi >&2 > > if grep -q "^${user}:${realm}:" "${passwd_file}"; then > printf 'Changing password for user %s in realm %s\n' "${user}" "${realm}" > sed -r -i -e "/^${user}:${realm}:/d" "${passwd_file}" > else > printf 'Adding user %s in realm %s\n' "${user}" "${realm}" > fi > exec 3>&1 > exec >/dev/null > printf 'New password: ' >&3 > read -r passwd > printf 'Re-type new password: ' >&3 > read -r passwd2 > exec >&3 > exec 3>&- > if [ "${passwd}" != "${passwd2}" ]; then > printf "They don't match, sorry.\n" > exit 1 > fi >&2 > > hash="$( printf '%s:%s:%s' "${user}" "${realm}" "${passwd}" |md5sum )" > printf "${user}:${realm}:${hash% -}" >>"${passwd_file}" > > Totally untested, Use at your own risk... Thank you for the script, but I prefer to use tools already provided and tested. And htdigest and htpasswd can be useful for other usage in Buildroot > htpasswd is quite a bit more complex, though., so if you really need it, > impersonating it is not going to be easy... > > Bottom line: if only htdigest needed, then a script will help (not sure > we'd need such a package in Buildroot, though). Otherwise, I don;t have > a good idea yet... In the end I've sent a patch[0] for package apache and it looks good to me. Using autotools is a real mess, so I've moved what I've done for package apache-utils to package apache checking for option BR2_PACKAGE_APACHE_UTILS_ONLY=y [0]: https://patchwork.ozlabs.org/project/buildroot/patch/20230917202539.365838-1-giulio.benetti@benettiengineering.com/ Best regards
diff --git a/DEVELOPERS b/DEVELOPERS index f0c6f9cb52..806429f433 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1196,6 +1196,7 @@ F: configs/freescale_imx6ullevk_defconfig F: configs/imx6ullevk_defconfig F: configs/imxrt1050-evk_defconfig F: configs/olimex_a* +F: package/apache-utils/ F: package/at/ F: package/binutils/ F: package/cryptsetup/ diff --git a/package/Config.in b/package/Config.in index e8dbadadf3..f5c9f9d321 100644 --- a/package/Config.in +++ b/package/Config.in @@ -2278,6 +2278,7 @@ menu "Networking applications" source "package/alfred/Config.in" source "package/aoetools/Config.in" source "package/apache/Config.in" + source "package/apache-utils/Config.in" if BR2_PACKAGE_APACHE menu "External Apache modules" source "package/modsecurity2/Config.in" diff --git a/package/apache-utils/0001-nios2_is_not_os2.patch b/package/apache-utils/0001-nios2_is_not_os2.patch new file mode 100644 index 0000000000..ac9b3fb373 --- /dev/null +++ b/package/apache-utils/0001-nios2_is_not_os2.patch @@ -0,0 +1,19 @@ +Fix nios2 detection. + +Apache treats nios2 as OS/2. + +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> +Signed-off-by: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com> + +diff -uNr httpd-2.4.12.org/configure.in httpd-2.4.12/configure.in +--- httpd-2.4.12.org/configure.in 2015-01-22 18:33:07.000000000 +0100 ++++ httpd-2.4.12/configure.in 2015-04-02 22:01:32.851102219 +0200 +@@ -268,7 +268,7 @@ + AC_MSG_NOTICE([]) + + case $host in +- *os2*) ++ *-os2*) + # Use a custom made libtool replacement + echo "using aplibtool" + LIBTOOL="$abs_srcdir/srclib/apr/build/aplibtool" diff --git a/package/apache-utils/Config.in b/package/apache-utils/Config.in new file mode 100644 index 0000000000..d83874c9ea --- /dev/null +++ b/package/apache-utils/Config.in @@ -0,0 +1,15 @@ +config BR2_PACKAGE_APACHE_UTILS + bool "apache-utils" + depends on !BR2_STATIC_LIBS + depends on BR2_TOOLCHAIN_HAS_THREADS + depends on BR2_USE_MMU # apr + select BR2_PACKAGE_APR_UTIL + select BR2_PACKAGE_PCRE2 + help + Apache utilities htdigest and htpasswd + + https://httpd.apache.org + +comment "apache-utils needs a toolchain w/ dynamic library, threads" + depends on BR2_USE_MMU + depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS diff --git a/package/apache-utils/apache-utils.hash b/package/apache-utils/apache-utils.hash new file mode 100644 index 0000000000..1f0020f65a --- /dev/null +++ b/package/apache-utils/apache-utils.hash @@ -0,0 +1,5 @@ +# From https://archive.apache.org/dist/httpd/httpd-2.4.57.tar.bz2.{sha256,sha512} +sha256 dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a httpd-2.4.57.tar.bz2 +sha512 4d1e0a274ee90bdfb5f38d4a7d73a7367ed1c6388e26280e640014e49abc0df03683705b88dcfe2ec2da313dda4c7b4a3b86daffa1911f58e224eba89d82d155 httpd-2.4.57.tar.bz2 +# Locally computed +sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE diff --git a/package/apache-utils/apache-utils.mk b/package/apache-utils/apache-utils.mk new file mode 100644 index 0000000000..f632eaec24 --- /dev/null +++ b/package/apache-utils/apache-utils.mk @@ -0,0 +1,37 @@ +################################################################################ +# +# apache-utils +# +################################################################################ + +APACHE_UTILS_VERSION = 2.4.57 +APACHE_UTILS_SOURCE = httpd-$(APACHE_UTILS_VERSION).tar.bz2 +APACHE_UTILS_SITE = https://downloads.apache.org/httpd +APACHE_UTILS_LICENSE = Apache-2.0 +APACHE_UTILS_LICENSE_FILES = LICENSE +# We have a patch touching configure.in and Makefile.in, +# so we need to autoreconf: +APACHE_UTILS_AUTORECONF = YES +APACHE_UTILS_DEPENDENCIES = apr apr-util pcre2 + +APACHE_UTILS_CONF_ENV= \ + ap_cv_void_ptr_lt_long=no \ + PCRE_CONFIG=$(STAGING_DIR)/usr/bin/pcre2-config + +APACHE_UTILS_CONF_OPTS = \ + --with-apr=$(STAGING_DIR)/usr \ + --with-apr-util=$(STAGING_DIR)/usr \ + --with-pcre=$(STAGING_DIR)/usr/bin/pcre2-config \ + --with-static-htdigest \ + --with-static-htpasswd + +define APACHE_UTILS_BUILD_CMDS + $(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/support htdigest htpasswd +endef + +define APACHE_UTILS_INSTALL_TARGET_CMDS + $(INSTALL) -m 0755 -D $(@D)/support/htdigest $(TARGET_DIR)/usr/bin/htdigest + $(INSTALL) -m 0755 -D $(@D)/support/htpasswd $(TARGET_DIR)/usr/bin/htpasswd +endef + +$(eval $(autotools-package))