[bug?] templates are messed up?

B

beinbliss

Verified User
Joined
Aug 25, 2013
Messages
7
Hello,

I have a problem after update to DA 1.441 and apache 2.4 , my user httpd.conf gets double mod_ruid2 inserts, and in virtualhost section i get suexec enabled together with mod_ruid:

<Directory "/home/xxxxx/public_html">

<IfModule mod_ruid2.c>
RMode config
RUidGid dellkomp dellkomp
RGroups apache access
</IfModule>

</Directory>

<VirtualHost xxxxx:80 >
ServerName www.xxxxx
ServerAlias www.xxxxxx xxxxxx
ServerAdmin [email protected]
DocumentRoot /home/xxxxx/domains/xxxxxxx/public_html
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup dellkomp dellkomp
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid dellkomp dellkomp
#RGroups apache access
RGroups @none
</IfModule>
CustomLog /var/log/httpd/domains/dellkompiuteriai.lt.bytes bytes
CustomLog /var/log/httpd/domains/dellkompiuteriai.lt.log combined
ErrorLog /var/log/httpd/domains/dellkompiuteriai.lt.error.log
<Directory /home/dellkomp/domains/dellkompiuteriai.lt/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
php_admin_flag engine ON
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'
php_admin_value mail.log /home/dellkomp/.php/php-mail.log
php_admin_value open_basedir /home/dellkomp/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php54/lib/php/
</Directory>
</VirtualHost>


why is that?
 
Maybe you need to run ./build rewrite_confs? Like this:

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_cons
 
Yes. I have tried rewriting confs, tried many many things, even reinstalling everything.

For now as a workaround i have created custom dir in templates, copied virtual_host2* and user_virtual_host.conf into custom folder, then i emptied out user_virtual_host.conf completely (left it empty) so this part which appeared allways at the beginning of users httpd.conf dissappeared:

Code: 
<Directory "/home/xxxxx/public_html">

<IfModule mod_ruid2.c>
RMode config
RUidGid xxxxx xxxxx
RGroups apache access
</IfModule>

</Directory>

Next in virtual_host2 templates i have removed:
Code: 
<IfModule !mod_ruid2.c>
SuexecUserGroup xxxxx xxxxx
</IfModule>

And the result is now clear:

Code: 
<VirtualHost xxxxx:80 >
ServerName www.xxxxx
ServerAlias www.xxxxxx xxxxxx
ServerAdmin webmaster@xxxxxxxx
DocumentRoot /home/xxxxx/domains/xxxxxxx/public_html
UseCanonicalName OFF
<IfModule mod_ruid2.c>
RMode config
RUidGid xxxxx xxxxx
#RGroups apache access
RGroups @none
</IfModule>
CustomLog /var/log/httpd/domains/xxxxxxx.bytes bytes
CustomLog /var/log/httpd/domains/xxxxxxx.log combined
ErrorLog /var/log/httpd/domains/xxxxxxxxxxx.error.log
<Directory /home/xxxxx/domains/xxxxxxxx/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
php_admin_flag engine ON
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'
php_admin_value mail.log /home/xxxxxx/.php/php-mail.log
php_admin_value open_basedir /home/xxxxx/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php54/lib/php/
</Directory>
</VirtualHost>

The detection of mod_ruid is flawed i think (it puts suexec with mod_ruid together) and i don't know what is the user_virtual_host file which inserts another <Directory...> entry at the top of the users httpd.conf.
 
What OS har you running, and is it mod_php togheter with mod_ruid2, or some other variant? Is it custombuild 2.0? Do you have more then one PHP version enabled? I think you should answer those questions and send support @ directadmin.com a link to this thread.
 
centos 6.4

yes, i have downloaded custombuild 2.0 to run default mod_php + mod_ruid2

no other php versions are installed. Nothing fancy is setup.
 
Hmm. I checked contents of the httpd.conf file on one of the domains on my server, and I have the same thing as you with double mod_ruid2 inserts, and suexec enabled. Also I notice the first instert have this:

Code: 
RGroups apache access

But the next instert have this:

Code: 
#RGroups apache access
RGroups @none

That does not seem right. The last one with RGroups @none is a security fix in the newest DirectAdmin version http://www.directadmin.com/features.php?id=1514 , so why don't the first insert have this?

But I am not sure if it is wrong or not with double instert of mod_ruid2 etc, it is above my knowledge. Hopefully DirectAdmin support can confirm if this is a bug or not. Edit: I am running CentOS 6.5 and newest DA with CB 2.0, mod_php and mod_ruid2
 
Last edited:
Hello,

1) The user_virtual_host.conf should also have "RGroups @none", I've just fixed that in the template, as it was missing.

2) As for the original question, I'm not sure I'm clear on the issue.
What errors are you getting?
Does apache fail to start up?


Note that there is a ! character in front of the !mod_ruid2.c check.. meaning "not".. so the SuexecUserGroup only has any effect if mod_ruid2.c is not loaded.

Let me know if I'm missing something... but that should be correct, the way it's written.

John
 
There is an issue with mod_ruid2

I have also send a reply to [email protected]

Below is my message:

When i use mod_ruid2 with custombuild 1.2 i have a problem.
You have made a security change whats is good.
Changed:
RGroups apache access

to be:
RGroups @none

so that the additional groups are cleared.
Only the username should be sufficient to access all files and folders under /home/username.
But now when i go to domainname.tld/roundcube or /squirrelmail or /atmail or /webmail
I get the following error on errer log:

AH00035: access to /roundcube denied (filesystem path '/var/www/html') because search permissions are missing on a component of the path

I have changed to the old way and i have no problems.
This when we update to 1.441

Is there any fix for this.
 
You could try to log in by using your server hostname instead, like this: yourserver.hostname.com/roundcube - I always only use it that way, wich makes it better if you are using a ssl certifikate, so that you can use https://
 
Hi ditto,

Than it works.
I have also a reply from john.
And its a rights issue:

I've confirmed the issue on our test box when /var/www is set to chmod 550.
If you type:
chmod 755 /var/www

that should resolve the issue.
I've tried a few things, but have not yet been able to sort out the issue.

A related function in custombuild 2.0 is the hostname direct, eg options.conf:

redirect_host=server.hostname.com
redirect_host_https=yes
use_hostname_for_alias=yes
If you get the use_hostname_for_alias=yes, then type:
./build rewrite_confs

that should change the Alias in:
/etc/httpd/conf/extra/httpd-alias.conf

to be Rewrite commands.. as accessing the webapps from the server IP or the hostname does not run into the permission issue.
But the 755 change is likely easier to do.
 
Hello,

the question was why there is two IfModule mod_ruid2 instances in users httpd.conf

<Directory "/home/xxxxx/public_html">

<IfModule mod_ruid2.c>
RMode config
RUidGid dellkomp dellkomp
RGroups apache access
</IfModule>

</Directory>

<VirtualHost xxxxx:80 >
..................
<IfModule mod_ruid2.c>
RMode config
RUidGid dellkomp dellkomp
#RGroups apache access
RGroups @none
</IfModule>
.............................

</VirtualHost>



DirectAdmin Support said:
Hello,

1) The user_virtual_host.conf should also have "RGroups @none", I've just fixed that in the template, as it was missing.

2) As for the original question, I'm not sure I'm clear on the issue.
What errors are you getting?
Does apache fail to start up?


Note that there is a ! character in front of the !mod_ruid2.c check.. meaning "not".. so the SuexecUserGroup only has any effect if mod_ruid2.c is not loaded.

Let me know if I'm missing something... but that should be correct, the way it's written.

John
Click to expand...
 
You must log in or register to reply here.
Back
Top