Disable perl & cgi

[Suurbier]

I can't figure out how to disable cgi and perl for DA.

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  

ServerRoot "/etc/httpd"
Listen 80

#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
Include	/etc/httpd/conf/extra/httpd-phpmodules.conf

User apache
Group apache

ServerAdmin admin@localhost
DocumentRoot "/var/www/html"

<Directory /home/*>
    AllowOverride All
    Options -MultiViews -Indexes FollowSymlinks IncludesNoExec +Includes
<Limit GET POST OPTIONS PROPFIND>
    Order allow,deny
    Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
    Order deny,allow
    Deny from all
</LimitExcept>
</Directory>

<Directory />
    Options All
    AllowOverride All
</Directory>

<Directory "/var/www/html">
    Options -Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
	SetEnv PHP_INI_SCAN_DIR
   </IfModule>
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.htm index.shtml index.php index.php5 index.php4 index.php3 index.phtml index.cgi
</IfModule>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

ErrorLog /var/log/httpd/error_log
LogLevel warn

<IfModule log_config_module>
    #replace %b with %O for more accurate logging
    <IfModule mod_logio.c>
      LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
      LogFormat "%h %l %u %t \"%r\" %>s %O" common
      LogFormat "%O %I" bytes

      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog /var/log/httpd/access_log common
</IfModule>

<IfModule alias_module>
    # Include some DirectAdmin alias
    Include conf/extra/httpd-alias.conf
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

DefaultType text/plain

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-gzip .tgz
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddHandler cgi-script .cgi
    AddHandler type-map var
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
	AddType video/x-ms-asf .avi
	AddType video/mpeg .mpg
	AddType video/mpeg .mpeg
	AddType video/quicktime .mov
	AddType video/x-ms-wmv .wmv
</IfModule>

#EnableMMAP off
#EnableSendfile off

#######################################################################################
# Do not change anything in included files, because they are rewritten by DirectAdmin #
#######################################################################################

# This is needed for PHP
Include conf/extra/httpd-php-handlers.conf

# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf

# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
Include conf/extra/httpd-info.conf

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

# Deflate module settings
Include conf/extra/httpd-deflate.conf

# All the DirectAdmin vhosts
Include conf/extra/directadmin-vhosts.conf

# All suPHP directives
Include conf/extra/httpd-suphp.conf

# For user configurations not maintained by DirectAdmin. Empty by default.
Include conf/extra/httpd-includes.conf

#######################################################################################
# End of included files that are rewritten by DirectAdmin                             #
#######################################################################################

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

How do i disable perl & cgi?

 

[scsi]

chmod 750 /usr/bin/perl
chmod 750 /usr/local/bin/perl

Remove the loadmodule lines in /etc/httpd/conf/httpd.conf

 

[SeLLeRoNe]

I would ask something about change perl permission.

I did today to 754 (and in past to 750) but this brake majordomo maling list.

Have you ever had problem using majordomo with those permission?

Regards

 

[Suurbier]

Is the chmod trick proven? I am a little bit afraid it would kill other applications like exim? etc.

What line do i need to remove?

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-gzip .tgz
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddHandler cgi-script .cgi

The last line?

how do i disable mod_perl and mod_cgi?

 

[scsi]

It looks like mod_cgi is compiled into the httpd binary itself so then you would have to recompile apache with the added line --disable-cgi in configure.apache

cd /usr/local/directadmin/custombuild
./build update
./build clean
mkdir -p custom/ap2
cp -rfp configure/ap2/configure.apache custom/ap2
perl -pi -e 's/\"--enable-so\" \\/\"--enable-so\" \\\n\t\"--disable-cgi\" \\/' custom/ap2/configure.apache
./build apache n

 

[nobaloney]

I would ask something about change perl permission.

I did today to 754 (and in past to 750) but this brake majordomo maling list.

Have you ever had problem using majordomo with those permission?

It won't run if it needs to run as a user. Majoromo uses perl.

Jeff

 

[scsi]

Yeah you would probably have to make a secure access group and set that group as the group of the perl binary and then put every user you wish to be able to use perl in that group.

 

[SeLLeRoNe]

you mean the directadmin access group? If yes, doesnt every user get automatically insert in that group?

If you mean a different group so ok lets call it majouser

Regards

 

[scsi]

No I mean a seperate group...putting every user in the group would defeat the purpose of trying to lock it down.

Something like:

groupadd perlgroup
chgrp perlgroup /usr/bin/perl

For all the users you want to be able to access perl:

useradd -G perlgroup <username>

 

[SeLLeRoNe]

Oh ok, so i had understand well ^^

Thanks a lot for command lines example.

Regards

 

[SeLLeRoNe]

Just a notice.

useradd is for non-existing users.

Would be better

/usr/sbin/usermod -a -G perlgroup <username>

Regards

 

[SeLLeRoNe]

Seems to dont work

pipe to |/etc/virtual/majordomo/wrapper resend -C /etc/virtual/domain.eu/majordomo/majordomo.cf -l comitati -h domain.eu -f owner-comitati [email protected]
   generated by [email protected]

Im going to try change wrapper owner so..

 

[sherman2000]

Csf

chmod 750 /usr/bin/perl
chmod 750 /usr/local/bin/perl

Remove the loadmodule lines in /etc/httpd/conf/httpd.conf

If the permision decrease CSF down and not work!!!

 

[zEitEr]

Try this http://www.directadmin.com/forum/showthread.php?t=44971&p=231624#post231624 then.