After emerging mod_security, there are no info messages informing the user that the module is active or what to do to activate the module. Nothing in /etc/conf.d/apache. It appears mod_security.conf is included but I dont see any LoadModule or AddModule lines in /etc/apache/conf/apache.conf, so how does one tell if its active or not? In /usr/portage/net-www/mod_security/files/99_mod_security.conf I see something like this: <IfDefine SECURITY> <IfModule !mod_security.c> LoadModule security_module extramodules/mod_security.so </IfModule> </IfDefine> But this does not appear to be added into any of the Apache config files after an emerge. Since I have had no responses on the mailing list, I have decided to add it here as a bug so maybe someone can look at it and clarify (and maybe <gasp> add an informative message to the ebuild). Reproducible: Always Steps to Reproduce: Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20040808-r1,glibc -2.3.4.20041102-r1, 2.6.9-gentoo-r9n i686) =============================================================== == System uname: 2.6.9-gentoo-r9n i686 AMD Athlon(tm) MP 1600+ Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Apr 28 2005, 04:05:57)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.7.9-r1, 1.6.3, 1.5, 1.9.5, 1.4_p6, 1.8.5-r3 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2, 2.6.8.1-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=athlon -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/ qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://mirror.datapipe.net/gentoo ftp:// mirrors.tds.net/gentoo http://gentoo.ccccom.com" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://216.220.96.33/gentoo-portage" USE="x86 apm arts avi berkdb bitmap-fonts crypt curl emboss encode foomaticdb freetds gd gdbm gif gtk2 imagemagick imlib ipv6 ithreads jpeg libg++ libwww mad mcal mikmod mmx motif mp3 mpeg mysql ncurses nls nptl oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang snmp spell ssl svga tcpd threads tiff truetype truetype-fonts type1-fonts xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Just add -D SECURITY to APACHE_OPTS in /etc/conf.d/apache ;-)
OK, I added that BUT, looking at /etc/apache/apache.conf, where it the module loaded? I see the rest of the modules plus the extras like this: <IfDefine PHP4> LoadModule php4_module extramodules/libphp4.so </IfDefine> <IfDefine SSL> LoadModule ssl_module extramodules/libssl.so </IfDefine> <IfDefine FASTCGI> LoadModule fastcgi_module extramodules/mod_fastcgi.so </IfDefine> LoadModule vhost_alias_module modules/mod_vhost_alias.so Shouldn't there by an <IfDefine SECURITY> here as well???
OK, I added this to the config and the module seems to be working now: <IfDefine SECURITY> <IfModule !mod_security.c> LoadModule security_module extramodules/mod_security.so </IfModule> </IfDefine> Then after the ClearModuleList directive: <IfDefine SECURITY> <IfModule !mod_security.c> AddModule mod_security.c </IfModule> </IfDefine> I thought the emerge process did this for me. Oh well.
The emerge process does this for you, and tells you about activating it with new-style apache which is now stable.
