DirectAdmin v.1.38 released

[DirectAdmin Support]

Hello,

This issue is probably from this:
http://www.directadmin.com/features.php?id=961

which you can disable if you want.
Delete the line from your directadmin.conf, and chmod /home/user to 711.

John

 

[SeLLeRoNe]

check your httpd custom config if everything is ok (aswell for subdomains)

 

[ditto]

Hello,

1) If you wish to have secure_access_group=access on an existing box, add it to your directadmin.conf, then run:

echo "action=rewrite&value=secure_access_group" >> /usr/local/directadmin/data/task.queue

and this will set all your existing Users to the new format. (changes /home/user for Users and /home/reseller/domains for Admins/Resellers)

2)

chown webapps:apache /var/www
chmod 550 /var/www

chgrp apache /usr/bin/perl
chmod 705 /usr/bin/perl

Official 1.38.0 announcement thread

Thank you, John. But I don't think I dare change to the secure_access_group yet. But I want to do step 2. Is it safe to do step 2 without doing step one (secure access group)? Also, what does this code do?:

chgrp apache /usr/bin/perl
chmod 705 /usr/bin/perl

Is it related to the secure access group? If so, can I skip the above code and only do this? Or must I do both?:

chown webapps:apache /var/www
chmod 550 /var/www

 

[DirectAdmin Support]

Hello,

Setting the group to apache on /usr/bin/perl, then setting it to 705 denies anyone in the "apache" group from running perl. The "apache" user is the only user in the apache group. Basically, anyone who runs a cgi-bin script, will do so using suexec, so they'll be running as their own username, and not apache. The only time perl gets called as apache is when it's an exploit of some sort through apache itself, thus perl shouldn't be allowed to be run as "apache". It's along the same lines as setting /tmp to noexec.

The permissions/ownership on /var/www are not related to the secure_access_group. You can do one, or the other, or both, or none. Up to you.

John

 

[ditto]

...The permissions/ownership on /var/www are not related to the secure_access_group. You can do one, or the other, or both, or none. Up to you.

Thank you! However I need to be sure I don't make a mistake, so please let me refine the question:

Is this code related to the secure_access_group, and can I run it without setting the secure_access_group?:

chgrp apache /usr/bin/perl
chmod 705 /usr/bin/perl

Your explanatation was a big help, so sorry for this, but I just need to be certain that I don't create problems on my server. So, at first I want to run this code, but not set a secure access group:

chown webapps:apache /var/www
chmod 550 /var/www

chgrp apache /usr/bin/perl
chmod 705 /usr/bin/perl

 

[DirectAdmin Support]

Hello,

1) Settings and permissions on /usr/bin/perl are not related to secure_access_group (SAG).

2) Settings and permissions on /var/www are not related to SAG.

3) secure_access_group does not need to be enabled to run any of the above.
SAG only affects /home/user. (or /home/admin/domains)

John

 

[fabbietto]

problem whit access group restoring a domain

Hi,

i made the SAG option on all my server (works well with the tutorial) but if i restore a domain backupping it from another server with SAG option too, user and group of the "domains" folder is not correct because i have:

drwx--x--- 3 user user 4096 2008-12-19 17:50 domains


after restore the backup,in this way domain is not visible for error 403.

The correct way would be this:

drwx--x--- 3 user access 4096 2008-12-19 17:50 domains

The strange thing is that if i create a new user on the server, user and group of "domains" folder are correct.

Anyone know why?my da version is 1.38.4

 

[SeLLeRoNe]

The only thing i should suppose is that restore script have inside a set permission for the "fresh restored" user that isnt update/or doesnt check about SAG.

But just DirectAdmin Support can confirm or deny what i wrote and help you understanding the reason.

Regards

 

[fabbietto]

thanks sellerone for reply,
Directadmin support can you confirm this problem?

 

[DirectAdmin Support]

Hello,

I checked the code and based on what I see, I can confirm that for Reseller and Admin restores. The "domains" directory for SAG only applies to Resellers/Admins. During the restore code, there is a spot that ensures the SAG settings are all correct for accounts.. but the function exits right away if SAG is disabled. What I've done is added a chmod 711 to the domains directory if it's a Reseller/Admin and SAG is disabled.

On a side note, aside from the bug: enable SAG

John

 

[fabbietto]

so applying SAG option user's folder "domains" must not have

user access

this is only for reseller and admin account,that's ok,my problem was only setting permission as well at 711 to "domains" folder for user,really?

SAG on the server is enabled , /home/user has:

user access

like owner and group,do you think is a problem leaving the permission of the domains user's folder in my way?maybe is better secure?

 

[nobaloney]

On a new server I'm building, I've turned off secure access because I'm using mod_ruid2.

I've done that after reading this thread, though I'm not sure it's needed.

Can anyone clarify for me? If special steps need to be done to run both, please explain.

Thanks.

Jeff

 

[SeLLeRoNe]

Ive both SAG and mod_ruid2 enabled without problem.

Need information about how to?

Regards

 

[nobaloney]

Yes, please, if you have the time. I'm building out a new server to be our next-generation design, and I've looked into processes and procedures I've (as an old-timer) never used before. In this thread I've seen some complaints about them possibly not working together, including from John at DirectAdmin.

So I didn't try SAG yet, since I've moved from suPHP to mod_ruid2.

Any help is appreciated.

Jeff

 

[DirectAdmin Support]

Hello,

If my memory is correct, the last issue with the issue with mod_ruid2 and SAG is that, for the case in question, the 4 virtual_host2*.conf files were not all correctly setup. Only 1 of them was, the other 3 were not, thus the main domain worked, but subdomains/https didn't work correctly.

As far as I know, there shouldn't be any issues with mod_ruid2 and SAG, assuming all 4 virtual_host2*.conf file are set correctly.

@fabbietto: Correct, with SAG, it's as follows:
Users:
/home/user user:access 750

Admins, Reseller:
/home/user/domains user:access 750

John

 

[SeLLeRoNe]

Ok ill post here the importants change i made on confs:

>cat /etc/httpd/conf/httpd.conf
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.

ServerRoot "/etc/httpd"
Listen 80

#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
LoadModule ruid2_module       /usr/lib/apache/mod_ruid2.so
#LoadModule php5_module        /usr/lib/apache/libphp5.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf

User apache
Group access

>ll /var/
dr-xr-x---  9 webapps apache  4096  4 apr 10:40 www
>ll /var/www/
drwxr-xr-x  4 webapps apache  4096 25 giu 16:16 html
>ll /var/www/html/
-rw-r--r--  1 webapps webapps   58 11 gen 15:41 index.php

>cat /usr/local/directadmin/data/templates/custom/virtual_host2.conf
<VirtualHost |IP|:80 |MULTI_IP|>
|CUSTOM|

|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/cgi-bin/|
        ServerName www.|DOMAIN|
        ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|
        |CGI|

        |USECANONICALNAME|

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache
        CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

        <Directory |DOCROOT|>
                Options +Includes -Indexes
|*if CLI="1"|
                php_admin_flag engine |PHP|
                <IfModule !mod_php6.c>
                        php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
                php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|
        </Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>

>cat virtual_host2_secure.conf
<VirtualHost |IP|:443 |MULTI_IP|>
|CUSTOM|
        SSLEngine on
        SSLCertificateFile |CERT|
        SSLCertificateKeyFile |KEY|
        |CAROOT|

        ServerName www.|DOMAIN|
        ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|
        |CGI|

        |USECANONICALNAME|

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache

        CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

        <Directory |DOCROOT|>
                Options +Includes -Indexes
|*if CLI="1"|
                php_admin_flag engine |PHP|
                <IfModule !mod_php6.c>
                        php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
                php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|
        </Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>

>cat virtual_host2_secure_sub.conf
<VirtualHost |IP|:443 |MULTI_IP|>
|CUSTOM|
        SSLEngine on
        SSLCertificateFile |CERT|
        SSLCertificateKeyFile |KEY|
        |CAROOT|

        ServerName www.|SUB|.|DOMAIN|
        ServerAlias www.|SUB|.|DOMAIN| |SUB|.|DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|/|SUB|
        |CGI|

        |USECANONICALNAME|

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache

        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.|SUB|.error.log

        <Directory |DOCROOT|/|SUB|>
                Options +Includes -Indexes
|*if CLI="1"|
                php_admin_flag engine |PHP|
                <IfModule !mod_php6.c>
                        php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
                php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|
        </Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>

>cat virtual_host2_sub.conf
<VirtualHost |IP|:80 |MULTI_IP|>
|CUSTOM|
|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/`SUB`/cgi-bin/|
        ServerName www.|SUB|.|DOMAIN|
        ServerAlias www.|SUB|.|DOMAIN| |SUB|.|DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|/|SUB|
        |CGI|

        |USECANONICALNAME|

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache

        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.|SUB|.error.log
        <Directory |DOCROOT|/|SUB|>
                Options +Includes -Indexes
|*if CLI="1"|
                php_admin_flag engine |PHP|
                <IfModule !mod_php6.c>
                        php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
                php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|
        </Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>
<VirtualHost |IP|:80 |MULTI_IP|>
|CUSTOM|
|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/`SUB`/cgi-bin/|
        ServerName www.|SUB|.|DOMAIN|
        ServerAlias www.|SUB|.|DOMAIN| |SUB|.|DOMAIN| |SERVER_ALIASES|
        ServerAdmin |ADMIN|
        DocumentRoot |DOCROOT|/|SUB|
        |CGI|

        |USECANONICALNAME|

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache

        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.bytes bytes
        CustomLog /var/log/httpd/domains/|DOMAIN|.|SUB|.log combined
        ErrorLog /var/log/httpd/domains/|DOMAIN|.|SUB|.error.log
        <Directory |DOCROOT|/|SUB|>
                Options +Includes -Indexes
|*if CLI="1"|
                php_admin_flag engine |PHP|
                <IfModule !mod_php6.c>
                        php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
                php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
                suPHP_UserGroup |USER| |GROUP|
|*endif|
        </Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>

Hope those information are enough helpful to you, if not, ask and ill try to give further information you will need.

Regards

 

[nobaloney]

@SeLLeRoNe:

Is this the only change you made?

        #SuexecUserGroup |USER| |GROUP|
        RMode config
        RUidGid |USER| |GROUP|
        RGroups apache

If so, it's now documented properly in the first post of the mod_ruid2 thread.

Jeff

 

[nobaloney]

@fabbietto: Correct, with SAG, it's as follows:
Users:
/home/user user:access 750

Admins, Reseller:
/home/user/domains user:access 750

On my first testbed server with mod_ruid2 I'm using

Users:
/home/user user:user 711

Admins,Resellers:
/home/user/domains user:user 755

I can see how the domains directory for admins/resellers would be more secure with SAG, but I don't see how the user directory would be.

What am I missing? Should I still use SAG?

Thanks.

Jeff

 

[DirectAdmin Support]

The "access" group should have in it all system accounts, other than the user, which need access to the User's path. If mod_ruid2 is setup correctly, and apache is in fact running as the User, then the two should work just fine together.

The only two issues I've ever seen are:
1) The access group was missing the "apache" user, so apache threw errors.

2) mod_ruid2 was not setup correctly in one case a while back, so it was not running as the correct user, thus the system wouldn't let it in.. again, errors ensued.

You should be fine to run SAG, it's more secure.

If you do get any errors, there would be a reason for them, and we could debug to find out what's missing.

John

 

[nobaloney]

Thanks, John. I'll study it a bit more.

Jeff