NoBaloney2
NoBaloney Internet Svcs.
Thanks, John. Starting to contact clients now.
Jeff
Jeff
Security - Recommended update to httpd.conf files via custombuild
- Thread starter DirectAdmin Support
- Start date
Hi John, please check if StevenC patch can be used instead, so that we don't have to deal with clients complaining about the .htaccess restriction: http://forums.cpanel.net/f185/how-p...inks-non-root-users-202242-p4.html#post996441 Here is copy of StevenC post:
Last edited:
- Joined
- Feb 27, 2003
- Messages
- 8,509
Hello,
Done.
If you wish to use the StevenC/Rack911 patch, it's now in custombuild. It's off by default.
Right now, it's just in files1, so please allow 24 hours if you're using a files mirror for rsync propogation.
To use it:
Some cases, ./build apache will delete modules from /usr/lib/apache... so if that happens, you'll also need to do
and for any other missing modules.
What this patch does, is allows Users to use everything as it was before, including the FollowSymLinks option.
However, the functionality of FollowSymLinks is no longer the insecure type as it was before.
The new functionality of FollowSymLinks with this patch will simply duplicate the functionality of the more secure SymLinksIfOwnerMatch.
This will allow the secure_htaccess option to be set to "no" (old httpd config setup), but still solve the linking issue with regards to security.
Once testing is under the belt for this patch, we'll set secure_htaccess=no as the default, and harden-symlinks-patch=yes as the default.
John
Done.
If you wish to use the StevenC/Rack911 patch, it's now in custombuild. It's off by default.
Right now, it's just in files1, so please allow 24 hours if you're using a files mirror for rsync propogation.
To use it:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set harden-symlinks-patch yes
./build set secure_htaccess no
./build apache
./build rewrite_confs
Code:
./build php nWhat this patch does, is allows Users to use everything as it was before, including the FollowSymLinks option.
However, the functionality of FollowSymLinks is no longer the insecure type as it was before.
The new functionality of FollowSymLinks with this patch will simply duplicate the functionality of the more secure SymLinksIfOwnerMatch.
This will allow the secure_htaccess option to be set to "no" (old httpd config setup), but still solve the linking issue with regards to security.
Once testing is under the belt for this patch, we'll set secure_htaccess=no as the default, and harden-symlinks-patch=yes as the default.
John
TheLinuxGuy
Verified User
- Joined
- Mar 6, 2004
- Messages
- 23
I get this problem and httpd is down:
[root@*** custombuild]# ./build rewrite_confs
Using ***.***.*** for your server IP
Writing data to /etc/httpd/conf/extra/httpd-suphp.conf
Done.
Restarting apache.
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 26 of /usr/local/directadmin/data/users/adv
Unknown DAV provider: svn
[root@server custombuild]#
[root@*** custombuild]# ./build rewrite_confs
Using ***.***.*** for your server IP
Writing data to /etc/httpd/conf/extra/httpd-suphp.conf
Done.
Restarting apache.
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 26 of /usr/local/directadmin/data/users/adv
Unknown DAV provider: svn
[root@server custombuild]#
SeLLeRoNe
Super Moderator
Thats what rewrite_confs do...
Richard G
Verified User
Why he would? Because it's stated you should do that in post #23 from DA support.
This is an option I found in Zencart:
Will this keep on working in good order after doing the patch?
This is an option I found in Zencart:
Will this keep on working in good order after doing the patch?
Last edited:
zEitEr
Super Moderator
Yes, it should work OK with the patch, if the owners match.
Suurbier
Verified User
- Joined
- Apr 23, 2007
- Messages
- 224
Why don't you turn on harden-symlinks-patch as default?
- Joined
- Feb 27, 2003
- Messages
- 8,509
Hello,
For anyone who is using the patch, are there any noticeable issues? The patch should be the default, as it makes life much easier.
If all is well (let me know), then I'll make it the default for new installs. Will need several confirmed reports that it's working before we change it (we're using it on a test box, and it's fine as far as we can tell)
John
For anyone who is using the patch, are there any noticeable issues? The patch should be the default, as it makes life much easier.
If all is well (let me know), then I'll make it the default for new installs. Will need several confirmed reports that it's working before we change it (we're using it on a test box, and it's fine as far as we can tell)
John
mmx
Verified User
Hi, I have been running with the patch for about a week now. Everything looks okay, but I am getting some Segmentation Faults in Apache:
I don't know if this is related to the patch or not, as it could be just APC acting up (or something else that I have played with). I haven't looked into it that much.
FreeBSD 7.4 x64, Apache 2.2, PHP 5.2.17 CLI
Now that I think about it, I didn't rebuild PHP after applying the patch. I'll be doing so tonight once I upgrade to PHP-CGI. I'll follow-up once I go through.
Code:
[Tue Jan 10 09:34:39 2012] [notice] child pid 77443 exit signal Segmentation fault (11)
[Tue Jan 10 09:34:39 2012] [notice] child pid 77364 exit signal Segmentation fault (11)
[Tue Jan 10 09:34:39 2012] [notice] child pid 77352 exit signal Segmentation fault (11)I don't know if this is related to the patch or not, as it could be just APC acting up (or something else that I have played with). I haven't looked into it that much.
FreeBSD 7.4 x64, Apache 2.2, PHP 5.2.17 CLI
Now that I think about it, I didn't rebuild PHP after applying the patch. I'll be doing so tonight once I upgrade to PHP-CGI. I'll follow-up once I go through.
Richard G
Verified User
I've got it running on Centos 5.5 with mod_ruid2 for about three or 4 days and have the same problem you have and I did rebuild php after applying the patch:
Centos 5.5, PHP 5.2.17 (cli) (built: Jan 10 2012 00:40:19)
Server version: Apache/2.2.21 (Unix)
Server built: Jan 10 2012 00:36:43
So I think it's not your APC but indeed the patch which is causing this. However, I only had this once until now.
Centos 5.5, PHP 5.2.17 (cli) (built: Jan 10 2012 00:40:19)
Server version: Apache/2.2.21 (Unix)
Server built: Jan 10 2012 00:36:43
Hi John. Is there any way I can apply the patch without running ./build rewrite_confs , like adding the needed code in confs files manually? I am getting errors when running ./build rewrite_confs because I have two files in custom folder, virtual_host2.conf and virtual_host2_secure.conf and running a customized DA SVN plugin like this: http://www.directadmin.com/forum/showthread.php?t=38010&p=191619#post191619 - I get errors after running ./build rewrite_confs like this:
I have attached the content of my virtual_host2.conf and virtual_host2_secure.conf files as attachments, they are needed in order for domain creating of IDN domains to work without errors when using the SVN plugin.
Code:
Starting httpd: Syntax error on line 26 of
/usr/local/directadmin/data/users/...I have attached the content of my virtual_host2.conf and virtual_host2_secure.conf files as attachments, they are needed in order for domain creating of IDN domains to work without errors when using the SVN plugin.
- Joined
- Feb 27, 2003
- Messages
- 8,509
... but what is the error? If some of the main httpd.conf files are missing the svn bits (eg: LoadModule), then it would be easier to lock them down, so that everything can still be re-written, but for any main conf file, it will be locked and won't be able to be modified.
http://help.directadmin.com/item.php?id=351
John
http://help.directadmin.com/item.php?id=351
John
Hi, sorry for the incomplete error message, here all of it is:
Also I have previous been talking to you on email, but I have not any solution yet. Please see the email with subject "httpd down after rewrite_confs" where I have provided all information that I have. The emails is from december 22 and 23. You have replied to them.
Code:
[root@server custombuild]# ./build rewrite_confs
Using 12.12.12.12 for your server IP
Writing data to /etc/httpd/conf/extra/httpd-suphp.conf
Done.
Restarting apache.
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 26 of
/usr/local/directadmin/data/users/adv
Unknown DAV provider: svn
[root@server custombuild]#Also I have previous been talking to you on email, but I have not any solution yet. Please see the email with subject "httpd down after rewrite_confs" where I have provided all information that I have. The emails is from december 22 and 23. You have replied to them.
- Joined
- Feb 27, 2003
- Messages
- 8,509
Basically, after the rewrite, what do you do to fix it? Do the user httpd.conf files get manually changed? Or is something re-installed to re-add code to the main conf files in /etc/httpd/conf/* ?
One way to find out is to make a backup of the user httpd.conf file when it's working, issue the rewrite, then see if it's changed at all. If it has, then something is editing the user httpd.conf behind DA's back, which wouldn't be recommended.
If the user httpd.conf file is the same, then the change is in the /etc/httpd/conf/* location (somewhere), so you'd just need to lock it, as mentioned in the id=351 guide. (or use the cleaner solution #2 in id=351 to add the custom code confs (under the custombuild dir), so the custom conf is copied upon each re-write)
John
One way to find out is to make a backup of the user httpd.conf file when it's working, issue the rewrite, then see if it's changed at all. If it has, then something is editing the user httpd.conf behind DA's back, which wouldn't be recommended.
If the user httpd.conf file is the same, then the change is in the /etc/httpd/conf/* location (somewhere), so you'd just need to lock it, as mentioned in the id=351 guide. (or use the cleaner solution #2 in id=351 to add the custom code confs (under the custombuild dir), so the custom conf is copied upon each re-write)
John