Spind.net Blog

I’m a security freak, and prefer to switch to individual users, when running scripts on different sites. There are numerous advantages to this, including being able to write to your web directory, without leaving a huge security hole open for root-kits on other hosted sites on the server.

To do this, I’ve decided to use the Apache suexec option for all my scripts. I won’t go into specific details about the setup here, but present a pretty solution to an annoying problem that arises when using suexec and applying software updates for the Apache server.

If your web files are located in /var/www, you won’t need this. For security reasons, suexec is compiled with various configuration options that can’t be changed runtime – the “safe” location of scripts is one of them. If you – like me – have your web files located somewhere else, you’ll need to recompile suexec and re-install it every time you upgrade Apache. If you decide to get the entire source code tree for Apache, just for this, you’ll find yourself in a mess that could easily be avoided.

Here is my solution: Since the suexec source files themselves rarely change, I picked out exactly the files needed to compile the suexec binary and simplified the Makefile. This way, I’ve got a very small directory with the files required to build my suexec with my own configuration options, without messing with the rest of the Apache source code. As long as I remember to run make install after updating Apache, it’s all good.

First of all, you need to set up a directory for the suexec files:

Now make the changes you need to suexec.h and write a suitable Makefile:

You’ll need the apr-devel and httpd-devel packages for this to work. Remember that you need to indent with tabs in makefiles. Run make install to install:

If you’re running php-cgi and getting http error 500, your suexec probably needs to be re-installed. Remember to check the suexec logfile.

Uncategorized Apache, CentOS, SuEXEC

I’ve always had trouble understanding exactly why I would get a million .rpmnew files after updating my servers, especially when those files were exactly identical to their original counterparts. Luckily there seems to be a solution – the yum-merge-conf plugin!

I updated my CentOS 5.2 to 5.3 by running yum --merge-conf, and after downloading and updating, yum asked me what it should do about the new configuration files – kindly sparing me the identical ones:

I chose install the package’s version for everything I know I didn’t mess with, and do the default RPM action (keep local version) for the ones I had been tweaking.

Now, isn’t that cool?

Uncategorized CentOS, Linux, RPM, Yum

My Firefox recently suffered from aggressive dementia, and forgot all the tweaks and add-ons I had applied. Good plugins are hard to find, so here’s the list of the ones I use:

• Adblock Plus – no more ads
• iMacros – automate repetitive tasks in Firefox
• Firebug – website development tools (debugging etc.)
• Pixel Perfect – Firebug extension that helps you get your site pixel perfect
• Web Developer – offers all kinds of neat web developer tools (cookie management, cache on/off, CSS help etc.)

Enjoy

Uncategorized Firefox