Opensource Terrorists

As long as we don't get sued for it... ;-)
http://www.dpp-label.yi.org/upload2/images/Linuxterroriste.gif

Words of Wisdom

Sometimes, when you cry noone sees your fears.

Sometimes, when you're worried noone sees your pain.

Sometimes when you're happy noone sees your smile.

But fart just one time...

The endless depths of suexec

When building a secure shared hosting Webserver, mod_suexec is an absolute must. It allows you to tell apache to run cgi- and perl-scripts as different User:Group than the rest of apache. Combined with access control lists you could safely enable cgi-support without having to worry about users cgi-scripts modifying or reading data they should not be able to see.

A common Security Rule when building Apache Webservers is to move the cgi-bin directory (the dir where yiu normaly put cgi- and perl-scripts) out of your document root. So I have /sites/website1/html as docroot and /sites/website1/cgi-bin as cgi-bin. With the config-directive ScriptAlias /cgi-bin/ /sites/website1/cgi-bin/ I could "map" that dir into my docroot to make it accessible from the Browser.

If you enable suexec ("SuexecUserGroup website1 sites" in the virtual host config) apache executes the scripts called via this virtual host as user "website1" and group "sites".

Suexec itself is a bit paranoid (and that's good!) and does several checks before executing a script: The script has to be owned by user:group specified in the SuexecUserGroup directive, it must not be writeable by anyone else, it has to be in the documentroot or in a dir specified when compiling mod_suexec.

And that's where troubles start.

/sites/website1/cgi-bin/ is not in the docroot. So suexec doesn't work there. When compiling the suexec-module redhat people specified /var/www as the suexec-docroot. (the dir where you can use suexec)

So I either have to recompile mod_suexec (which breaks any future autmatic updates) or move /sites to /var/www/sites. As for easyness I did the later.

The second problem is awstats. I moved it to /var/www/awstats to place it inside suexec-docroot. But each virtual host uses it's own user. As I mentioned before the script needs to be owned by the suexec'ed user and since awstats could not be owned by everyone, it won't run.

One solution would be to turn of suexec for awstats, but as this is a security risk (enabling this means that customers could become other users by placing a SuexecUserGroup directive in a .htaccess file) it is not possible. So there is no way to get awststs running.

My personal solution is to let a cron job produce static html-files with the awstats-statistic during night and placing them in /var/www/sites/website1/stats/.

If you have an Idea how to get awstats running I appreciate your comments...

Regular Expressions for Matching Apache Logfile-Entrys

I'm currently developing a shell script which analyses a customer website and unfies it to a new format (dirs, filenames, etc.) for beeing put on our new Server. Part of this script is an Access-Log format recognition function. Therfore I created two sed scripts.

Common Log Format:
sed "s/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\} - [a-z,A-Z,0-9,\\,,\\_, ,\\-]* \[[0-9]\{1,2\}\/[a-z,A-Z]\{1,4\}\/[0-9]\{4\}:[0-9]\{1,2\}:[0-9]\{1,2\}:[0-9]\{1,2\} [+,-][0-9]\{4\}\] \"[^\"]*\" [0-9]\{3\} [0-9,-]*$/#/"

Cobined Log Format:
sed "s/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\} - [a-z,A-Z,0-9,\\,,\\_, ,\\-]* \[[0-9]\{1,2\}\/[a-z,A-Z]\{1,4\}\/[0-9]\{4\}:[0-9]\{1,2\}:[0-9]\{1,2\}:[0-9]\{1,2\} [+,-][0-9]\{4\}\] \"[^\"]*\" [0-9]\{3\} [0-9,-]* \"[^\"]*\" \"[^\"]*\"$/#/"

Feel free to use this, and send me suggestions for improvement/error corrections/etc.

Welcome

Welcome to my first blogg!