Security - Recommended update to httpd.conf files via custombuild

That is great news, thanks! Then I will apply the harden-symlinks-patch the very next night! You made me happy. :)
 
John, is there a list anywhere of the files rewrite_confs updates? I know that in my case I need to make changes to the /etc/httpd/conf/extra/httpd-alias.conf file, because of custom changes I make, but I'd bet that I, ditto, and others, would be well served by knowing the other files which might need special attention after a rewrite_confs run, as well.

Thanks.

Jeff
 
It copies the files from:
/usr/local/directadmin/custombuild/configure/ap2/conf/*

to:
/etc/httpd/conf

However, if it exists, it then copies:
/usr/local/directadmin/custombuild/custom/ap2/conf

So if you want to have any custom files, you can add the individual custom file to that directory, and it will overwrite the default during the rewrite.

In some cases, custombuild does actively change the conf file in place... I can't recall exactly, but the httpd-alias.conf may be one of them.
In that case, use chattr to lock it.

Related:
http://help.directadmin.com/item.php?id=351

John
 
Thanks, John. Generally we want your updates so I hesitate to httpd-alias into custom or to chattr it immutable. I don't have a problem doing a comparison when I need to update configs; I was just curious as to what else I might want to look at.

Jeff
 
You can send a email when you see a big problem of security..

No person has advertise us.. And one of ours servers has been exploited..............

Thx again... Grrr
 
You can send a email when you see a big problem of security..

No person has advertise us.. And one of ours servers has been exploited..............

Thx again... Grrr

Hi,

Security is a work-in-progress. This is not only the task for DA and or other forum members. It's your priority task.
You are the system administrator of your server, you have to make sure there are no security threats.

This forum and DA is just a tool to help you do that task.

I personally watch this forum almost daily. Mostly for security issues that someone might have found, or to prevent other issues before they happen on my own servers.

And after almost 70 posts in this topic, this isn't really a topic you would miss if you watch the forums.

regards,
Stijn
 
when you know its a big security hole.. yes you need contact yours clients..its not a game for us..

If you know the problem before us.. you need to alert yours clients if yours clients is important for you..

its cost nothing, its take 5 minuts to write.. and clic send to all !!

sorry for my english
 
I'm subscribed to the DA mailing list. Take a look at http://www.directadmin.com/forum/showthread.php?t=9384 on how to subscribe. I believe this is still the current list. Maybe Jeff could make it a Sticky thread.

The mailing list isn't being used much, I wouldn't mind if it was used a bit more.

However this symlink issue was mentioned in the latest mailing back in december 9 2011.
 
when you know its a big security hole.. yes you need contact yours clients..its not a game for us..
No they don't need to. Because it's not a security hole in Directadmin, it's a security hole in Apache webserver.
You can subscribe yourself to the "required software version updates" of the forum, and/or subscribe to the mailinglist like Arieh wrote.

Next to that, I don't know of any panel which warns customers of security updates anyway without any form of subscribtion to forum threads or mailing list.

Just to give you an update, there are also security issues with older bind and mysql 5.0 and older mysql 5.1 versions.
 
Hello,

We wouldn't be opposed to sending out more notifications to the da-announce mailing list for things like this.
Subscribe to the list, and we can get out this type of info. We'll be selective in which reports we feel are relevant.

But in any case, any changes to DA and it's scripts that are security related will show up in the versions system under "security", newer items at the bottom:
http://www.directadmin.com/search_versions.php?query=security

John
 
I'm confused. In this thread 2 different solutions are described:

./build set harden-symlinks-patch
./build set secure_htaccess

Which one should be used and is possible to update the first post so one would not have to read the whole thread before knowing there is (perhaps) a better solution?
 
Hello,

I'll update the first post.

1) The secure_htaccess option uses apache configs to disable the FollowSymlinks option. It forces Users to use the SymLinksIfOwnerMatch instead.
2) The harden-symlinks-patch takes it one level further and internally changes apache so that any calls to FollowSymlinks get internally changed to SymLinksIfOwnerMatch, so clients can still use FollowSymlinks, but it actually acts like the SymLinksIfOwnerMatch version, saving the need for the apache config changes, and making it less likely for Users to break their .htaccess files when using FollowSymlinks (since it would throw an internal server error with the secure_htaccess on, when FollowSymlinks is used)

John
 
@DaNgErOuS, I have read all the forum threads about this before, and I checked those again now and found no new information. I think DirectAdmin/Steve harden-symlinks-patch still is safe. If you think otherwise, please give a direct link to a forum post or page that say it is not safe and that explain WHY it is not safe.

Also, I would not like any kernel patch, it makes it harder to upgrade the kernel in the future, and there is always several new kernel upgrades from RedHat/CentOS each year. So I would not use any custom kernel patch from DirectAdmin.
 
Hello

a stupid question -

If we chmod 711 /home , the apache websites, mysql, exim, dovecot still seems working as usual.

However, from my understanding, if we run as apache identity , it cannot simply use symlink to point to / to browse /home/ folder list directly, (i.e. inside SSH, sudo -u apache ls -l /home), do I?

Except you know the username of individual websites, then you may directly access /home/xxxx/public_html/...

If so, next question is..
How to prevent apache access /etc/virtual/domainowners , /etc/passwd
 
They might not in the past. But the servers I have installed DirectAdmin on, they did have 711 on /home as default
 
And my most recent systems have /home chmod 711 and chown root:root.

Jeff
 
Back
Top