mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-02-01 10:59:55 +00:00
Code Issues Releases Activity

- update Apache 2 ITK MPM patch to version 20110321-01 [1]

Browse Source 
- add additional patch for mpm-itk [2]
 - add mod_substitute to apache22 [3]
 - add some documentation into the mpm-itk* patches
 - bump portrevision

 Changes:
 [1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
    configuration.
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.
  * In the config merger, don't reallocate the username, since it's already
    in the correct pool. (This is not a memory leak, only a small inefficiency.)

 [2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html

 Source:
  http://mpm-itk.sesse.net/ [1]
  http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2]
  http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3]

 With Hat:  apache@

PR:		ports/156024 [1][2]
Submitted by:	Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2]
		Nick Gieczewski <sorongo _at_ gmail.com> [3]
This commit is contained in:
Olli Hauer 2011-03-31 17:00:37 +00:00
parent 098a7e2783
commit 611bdd4c01
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=272057
7 changed files with 302 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
www/apache22/Makefile
View File

@ -9,7 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.2.17
PORTREVISION= 1
PORTREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}
@ -43,7 +43,7 @@ USE_PERL5= yes
USE_RC_SUBR= apache22 htcacheclean
LIBTOOLFILES= configure
MPM_ITK_VERSION?= 20090414-00
MPM_ITK_VERSION?= 20110321-01
# for slave ports
.if !defined(MASTERDIR)

4
www/apache22/Makefile.doc
View File

@ -74,9 +74,11 @@
## defines WITH_EXCEPTION_HOOK too)
## WITH_EXCEPTION_HOOK: Enable fatal exception hook
##
## Optionnal patches:
## Optional patches:
## WITH_EXPERIMENTAL_PATCHES Add performance patches (generally backported
## from apr/httpd SVN repositories)
## WITH_ITK_PERDIR_REGEX Add the per-directory setting AssignUserFromPath for mpm-itk
## as described on http://www.pvv.ntnu.no/~knuta/mpm-itk/
##
## Available make targets:
## show-options: prints this message

5
www/apache22/Makefile.modules
View File

@ -29,7 +29,7 @@ LDAP_MODULES= ldap authnz_ldap
MISC_MODULES+= actions alias asis autoindex cern_meta \
cgi charset_lite dbd deflate dir dumpio env expires \
headers imagemap include info log_config logio mime \
mime_magic negotiation rewrite setenvif speling status \
mime_magic negotiation rewrite setenvif speling status substitute \
unique_id userdir usertrack vhost_alias filter version reqtimeout
PROXY_MODULES= proxy proxy_connect proxy_ftp proxy_http proxy_ajp proxy_balancer proxy_scgi
SSL_MODULES= ssl
@ -65,6 +65,9 @@ PLIST_SUB+= PREFORK="@comment " WORKER="@comment " EVENT=""
. elif ${WITH_MPM:L} == "itk"
PLIST_SUB+= PREFORK="@comment " WORKER="@comment " EVENT="@comment "
EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-${MPM_ITK_VERSION}
. if defined (WITH_ITK_PERDIR_REGEX)
EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-perdir-regex
. endif
. else
IGNORE= "Unknown MPM: ${WITH_MPM}"
. endif

1
www/apache22/Makefile.options
View File

@ -61,6 +61,7 @@ OPTIONS+= \
USERTRACK "Enable mod_usertrack" ON \
VHOST_ALIAS "Enable mod_vhost_alias" ON \
FILTER "Enable mod_filter" ON \
SUBSTITUTE "Enable mod_substitute" OFF \
VERSION "Enable mod_version" ON \
PROXY "Enable mod_proxy" OFF \
PROXY_CONNECT "Enable mod_proxy_connect" OFF \

189
www/apache22/files/mpm-itk-20090414-00 → www/apache22/files/mpm-itk-20110321-01
View File

@ -1,6 +1,34 @@
vim: syntax=diff
Monolithic mpm-itk patch version 2.2.17-01 updated 2011-03-21
The Apache 2 ITK MPM
apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing Module)
for the Apache web server. mpm-itk allows you to run each of your vhost
under a separate uid and gid . in short, the scripts and configuration files
for one vhost no longer have to be readable for all the other vhosts.
mpm-itk is based on the traditional prefork MPM, which means it's
non-threaded; in short, this means you can run non-thread-aware code (like
many PHP extensions) without problems. On the other hand, you lose out to
any performance benefit you'd get with threads, of course; you'd have to
decide for yourself if that's worth it or not. You will also take an
additional performance hit over prefork, since there's an extra fork per
request.
Licensing:
mpm-itk is licensed under the Apache License, version 2.0,
like the rest of Apache.
For more Informations and Instructions please visit the official webpage.
WWW: http://mpm-itk.sesse.net/
===========================================================================
unchanged:
--- server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100
+++ server/mpm/experimental/itk/Makefile.in 2009-03-17 21:39:03.000000000 +0100
--- server/mpm/experimental/itk/Makefile.in
+++ server/mpm/experimental/itk/Makefile.in
@@ -0,0 +1,5 @@
+
+LTLIBRARY_NAME = libitk.la
@ -8,16 +36,16 @@ unchanged:
+
+include $(top_srcdir)/build/ltlib.mk
unchanged:
--- server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100
+++ server/mpm/experimental/itk/config.m4 2009-03-17 21:39:03.000000000 +0100
--- server/mpm/experimental/itk/config.m4
+++ server/mpm/experimental/itk/config.m4
@@ -0,0 +1,3 @@
+if test "$MPM_NAME" = "itk" ; then
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile)
+fi
diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/experimental/itk/itk.c
--- server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200
+++ server/mpm/experimental/itk/itk.c 2009-04-14 23:31:05.000000000 +0200
@@ -0,0 +1,1740 @@
unchanged:
--- server/mpm/experimental/itk/itk.c
+++ server/mpm/experimental/itk/itk.c
@@ -0,0 +1,1757 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
@ -576,8 +604,12 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e
+ (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL);
+
+ /* Set up the pollfd array */
+ /* ### check the status */
+ (void) apr_pollset_create(&pollset, num_listensocks, pchild, 0);
+ status = apr_pollset_create(&pollset, num_listensocks, pchild, 0);
+ if (status != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
+ "Couldn't create pollset in child; check system or user limits");
+ clean_child_exit(APEXIT_CHILDSICK); /* assume temporary resource issue */
+ }
+
+ for (lr = ap_listeners, i = num_listensocks; i--; lr = lr->next) {
+ apr_pollfd_t pfd = { 0 };
@ -648,19 +680,27 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e
+ apr_int32_t numdesc;
+ const apr_pollfd_t *pdesc;
+
+ /* timeout == -1 == wait forever */
+ status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
+ /* check for termination first so we don't sleep for a while in
+ * poll if already signalled
+ */
+ if (one_process && shutdown_pending) {
+ SAFE_ACCEPT(accept_mutex_off());
+ return;
+ }
+ else if (die_now) {
+ /* In graceful stop/restart; drop the mutex
+ * and terminate the child. */
+ SAFE_ACCEPT(accept_mutex_off());
+ clean_child_exit(0);
+ }
+ /* timeout == 10 seconds to avoid a hang at graceful restart/stop
+ * caused by the closing of sockets by the signal handler
+ */
+ status = apr_pollset_poll(pollset, apr_time_from_sec(10),
+ &numdesc, &pdesc);
+ if (status != APR_SUCCESS) {
+ if (APR_STATUS_IS_EINTR(status)) {
+ if (one_process && shutdown_pending) {
+ return;
+ }
+ else if (die_now) {
+ /* In graceful stop/restart; drop the mutex
+ * and terminate the child. */
+ SAFE_ACCEPT(accept_mutex_off());
+ clean_child_exit(0);
+ }
+ if (APR_STATUS_IS_TIMEUP(status) ||
+ APR_STATUS_IS_EINTR(status)) {
+ continue;
+ }
+ /* Single Unix documents select as returning errnos
@ -774,6 +814,11 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e
+ if (getuid())
+ die_now = 1;
+ }
+ /* This apr_pool_clear call is redundant, should be redundant, but compensates
+ * a flaw in the apr reslist code. This should be removed once that flaw has
+ * been addressed.
+ */
+ apr_pool_clear(ptrans);
+ clean_child_exit(0);
+}
+
@ -1718,16 +1763,16 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e
+static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr, void *child_ptr)
+{
+ itk_per_dir_conf *c = (itk_per_dir_conf *)
+ apr_pcalloc(p, sizeof(itk_per_dir_conf));
+ itk_create_dir_config(p, NULL);
+ itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr;
+ itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr;
+
+ if (child->username != NULL) {
+ c->username = apr_pstrdup(p, child->username);
+ c->username = child->username;
+ c->uid = child->uid;
+ c->gid = child->gid;
+ } else if (parent->username != NULL) {
+ c->username = apr_pstrdup(p, parent->username);
+ } else {
+ c->username = parent->username;
+ c->uid = parent->uid;
+ c->gid = parent->gid;
+ }
@ -1759,8 +1804,8 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e
+ itk_hooks, /* register hooks */
+};
unchanged:
--- server/mpm/experimental/itk/mpm.h 2009-03-17 21:39:03.000000000 +0100
+++ server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:33.000000000 +0100
--- server/mpm/experimental/itk/mpm.h
+++ server/mpm/experimental/itk/mpm.h
@@ -0,0 +1,68 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@ -1831,8 +1876,8 @@ unchanged:
+#endif /* APACHE_MPM_ITK_H */
+/** @} */
unchanged:
--- server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:39:03.000000000 +0100
+++ server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:33.000000000 +0100
--- server/mpm/experimental/itk/mpm_default.h
+++ server/mpm/experimental/itk/mpm_default.h
@@ -0,0 +1,80 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@ -1915,8 +1960,8 @@ unchanged:
+#endif /* AP_MPM_DEFAULT_H */
+/** @} */
unchanged:
--- orig/server/mpm/config.m4 2007-01-29 21:30:26.000000000 +0100
+++ server/mpm/config.m4 2007-01-29 21:30:35.000000000 +0100
--- server/mpm/config.m4
+++ server/mpm/config.m4
@@ -1,7 +1,7 @@
AC_MSG_CHECKING(which MPM to use)
AC_ARG_WITH(mpm,
@ -1935,17 +1980,21 @@ unchanged:
return 0
else
return 1
unchanged:
--- server/mpm/experimental/itk/config.m4 2007-01-29 21:03:51.000000000 +0100
+++ server/mpm/experimental/itk/config.m4 2007-01-29 21:03:57.000000000 +0100
@@ -1,3 +1,3 @@
if test "$MPM_NAME" = "itk" ; then
- APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile)
@@ -66,6 +66,11 @@
else
MPM_SUBDIR_NAME=$MPM_NAME
fi
+
+if test "$apache_cv_mpm" = "itk" ; then
+ AC_CHECK_LIB(cap, cap_init)
+fi
+
MPM_DIR=server/mpm/$MPM_SUBDIR_NAME
MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la
unchanged:
--- include/http_request.h 2009-03-21 13:03:31.000000000 +0100
+++ include/http_request.h 2009-03-21 13:03:41.000000000 +0100
--- include/http_request.h
+++ include/http_request.h
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@ -1976,8 +2025,8 @@ unchanged:
AP_DECLARE(int) ap_directory_walk(request_rec *r);
AP_DECLARE(int) ap_file_walk(request_rec *r);
unchanged:
--- server/request.c 2009-03-21 13:03:13.000000000 +0100
+++ server/request.c 2009-03-21 13:03:41.000000000 +0100
--- server/request.c
+++ server/request.c
@@ -12,6 +12,12 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
@ -2022,18 +2071,42 @@ unchanged:
/* Only on the main request! */
if (r->main == NULL) {
if ((access_status = ap_run_header_parser(r))) {
only in patch2:
unchanged:
--- server/mpm/config.m4 2009-04-14 23:26:41.000000000 +0200
+++ server/mpm/config.m4 2009-04-14 23:28:03.000000000 +0200
@@ -66,6 +66,11 @@
else
MPM_SUBDIR_NAME=$MPM_NAME
fi
+
+if test "$apache_cv_mpm" = "itk" ; then
+ AC_CHECK_LIB(cap, cap_init)
+fi
+
MPM_DIR=server/mpm/$MPM_SUBDIR_NAME
MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la
--- server/config.c
+++ server/config.c
@@ -1840,6 +1840,34 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
else {
if (!APR_STATUS_IS_ENOENT(status)
&& !APR_STATUS_IS_ENOTDIR(status)) {
+#ifdef ITK_MPM
+ /*
+ * If we are in a persistent connection, we might end up in a state
+ * where we can no longer read .htaccess files because we have already
+ * setuid(). This can either be because the previous request was for
+ * another vhost (basically the same problem as when setuid() fails in
+ * itk.c), or it can be because a .htaccess file is readable only by
+ * root.
+ *
+ * In any case, we don't want to give out a 403, since the request has
+ * a very real chance of succeeding on a fresh connection (where
+ * presumably uid=0). Thus, we give up serving the request on this
+ * TCP connection, and do a hard close of the socket. As long as we're
+ * in a persistent connection (and there _should_ not be a way this
+ * would happen on the first request in a connection, save for subrequests,
+ * which we special-case), this is allowed, as it is what happens on
+ * a timeout. The browser will simply open a new connection and try
+ * again (there's of course a performance hit, though, both due to
+ * the new connection setup and the fork() of a new server child).
+ */
+ if (r->main == NULL && getuid() != 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
+ "Couldn't read %s, closing connection.",
+ filename);
+ ap_lingering_close(r->connection);
+ exit(0);
+ }
+#endif
ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r,
"%s pcfg_openfile: unable to check htaccess file, "
"ensure it is readable",

160
www/apache22/files/mpm-itk-perdir-regex Normal file
View File

@ -0,0 +1,160 @@
vim: syntax=diff
This patch is a supplement for the MPM-ITK patchset, adding the per-directory
setting AssignUserFromPath <path-regex> <user-pattern> <group-pattern>
Using a regex for setting the user and/or group name might seem scary, but
it has a number of uses in cases where a hard-coded list of <Directory>
clauses would be implactical:
For personal home pages, either using mod_userdir or simply
subdirectories named like the user name
For vhosts using mod_vhost_alias
This patch is against MPM-ITK version 2.2.11-02. You might have to kneed it
a little if you are using a later version of MPM-ITK.
Please Note: This patch has only been briefly tested. Remember to test it
rigorously before applying it in a production environment!
Examples
<Directory /home>
AssignUserFromPath "^/home/([^/]+)" www-data $1-web
</Directory>
WWW: http://www.pvv.ntnu.no/~knuta/mpm-itk/
To apply this additional diff to apache22-mpm-itk use
make -DWITH_ITK_PERDIR_REGEX
===========================================================================
--- server/mpm/experimental/itk/itk.c 2011-03-05 18:12:47.000000000 +0100
+++ server/mpm/experimental/itk/itk.c 2011-03-06 23:28:49.000000000 +0100
@@ -60,6 +60,7 @@
#include "ap_listen.h"
#include "ap_mmn.h"
#include "apr_poll.h"
+#include "ap_regex.h"
#ifdef HAVE_BSTRING_H
#include <bstring.h> /* for IRIX, FD_SET calls bzero() */
@@ -164,6 +165,10 @@
gid_t gid;
char *username;
int nice_value;
+ char *user_regex_string;
+ ap_regex_t *user_regex;
+ char *user_pattern;
+ char *group_pattern;
} itk_per_dir_conf;
typedef struct
@@ -1421,6 +1426,7 @@
gid_t wanted_gid;
const char *wanted_username;
int err = 0;
+ int retval = OK;
itk_server_conf *sconf =
(itk_server_conf *) ap_get_module_config(r->server->module_config, &mpm_itk_module);
@@ -1458,6 +1464,35 @@
wanted_gid = dconf->gid;
wanted_username = dconf->username;
+ /* Determine uid and gid from regex, if available */
+ if (dconf->user_regex != NULL) {
+ apr_size_t nmatch = 10;
+ ap_regmatch_t pmatch[10];
+ char *user_string;
+ char *group_string;
+ struct passwd *user_struct;
+ struct group *group_struct;
+
+ if (ap_regexec(dconf->user_regex, r->filename, nmatch, pmatch, 0) == 0) {
+ user_string = ap_pregsub(r->pool, dconf->user_pattern, r->filename, nmatch, pmatch);
+ group_string = ap_pregsub(r->pool, dconf->group_pattern, r->filename, nmatch, pmatch);
+
+ if (!(user_struct = getpwnam(user_string))) {
+ _DBG("%s: No such user: '%s' (regex: '%s', pattern: '%s')",
+ r->filename, user_string, dconf->user_regex_string, dconf->user_pattern);
+ retval = HTTP_INTERNAL_SERVER_ERROR;
+ } else if (!(group_struct = getgrnam(group_string))) {
+ _DBG("%s: No such group: '%s' (regex: '%s', pattern: '%s')",
+ r->filename, group_string, dconf->user_regex_string, dconf->group_pattern);
+ retval = HTTP_INTERNAL_SERVER_ERROR;
+ } else {
+ wanted_username = user_string;
+ wanted_uid = user_struct->pw_uid;
+ wanted_gid = group_struct->gr_gid;
+ }
+ }
+ }
+
if (wanted_uid == -1 || wanted_gid == -1) {
wanted_uid = unixd_config.user_id;
wanted_gid = unixd_config.group_id;
@@ -1488,7 +1523,7 @@
ap_lingering_close(r->connection);
exit(0);
}
- return OK;
+ return retval;
}
static void itk_hooks(apr_pool_t *p)
@@ -1632,6 +1667,24 @@
return NULL;
}
+static const char *assign_user_id_regex (cmd_parms *cmd, itk_per_dir_conf *dconf, const char *regex, const char *user_string, const char *group_string)
+{
+ ap_regex_t *compiled_regexp;
+
+ compiled_regexp = ap_pregcomp(cmd->pool, regex, AP_REG_EXTENDED);
+ if (!compiled_regexp) {
+ return apr_pstrcat(cmd->pool,
+ "AssignUserFromPath: cannot compile regular expression '",
+ regex, "'", NULL);
+ }
+
+ dconf->user_regex_string = apr_pstrdup(cmd->pool, regex);
+ dconf->user_regex = compiled_regexp;
+ dconf->user_pattern = apr_pstrdup(cmd->pool, user_string);
+ dconf->group_pattern = apr_pstrdup(cmd->pool, group_string);
+ return NULL;
+}
+
static const char *set_max_clients_vhost (cmd_parms *cmd, void *dummy, const char *arg)
{
itk_server_conf *sconf =
@@ -1676,6 +1729,8 @@
"Maximum value of MaxClients for this run of Apache"),
AP_INIT_TAKE2("AssignUserID", assign_user_id, NULL, RSRC_CONF|ACCESS_CONF,
"Tie a virtual host to a specific child process."),
+AP_INIT_TAKE3("AssignUserFromPath", assign_user_id_regex, NULL, RSRC_CONF|ACCESS_CONF,
+ "Use a regex to determine the user ID from a path in the file system. Use with care!"),
AP_INIT_TAKE1("MaxClientsVHost", set_max_clients_vhost, NULL, RSRC_CONF,
"Maximum number of children alive at the same time for this virtual host."),
AP_INIT_TAKE1("NiceValue", set_nice_value, NULL, RSRC_CONF|ACCESS_CONF,
@@ -1716,6 +1771,20 @@
} else {
c->nice_value = parent->nice_value;
}
+ // The test for username != NULL means that we clear the regex settings if an
+ // explicit username is specified in a subdirectory, which is what I believe
+ // most people would expect.
+ if (child->user_regex_string != NULL || child->username != NULL) {
+ c->user_regex_string = child->user_regex_string;
+ c->user_regex = child->user_regex;
+ c->user_pattern = child->user_pattern;
+ c->group_pattern = child->group_pattern;
+ } else {
+ c->user_regex_string = parent->user_regex_string;
+ c->user_regex = parent->user_regex;
+ c->user_pattern = parent->user_pattern;
+ c->group_pattern = parent->group_pattern;
+ }
return c;
}

1
www/apache22/pkg-plist
View File

@ -165,6 +165,7 @@ libexec/apache22/httpd.exp
%%MOD_SSL%%libexec/apache22/mod_ssl.so
%%MOD_STATUS%%libexec/apache22/mod_status.so
%%MOD_SUEXEC%%libexec/apache22/mod_suexec.so
%%MOD_SUBSTITUTE%%libexec/apache22/mod_substitute.so
%%MOD_UNIQUE_ID%%libexec/apache22/mod_unique_id.so
%%MOD_USERDIR%%libexec/apache22/mod_userdir.so
%%MOD_USERTRACK%%libexec/apache22/mod_usertrack.so