Spind.net Blog

I’m a security freak, and prefer to switch to individual users, when running scripts on different sites. There are numerous advantages to this, including being able to write to your web directory, without leaving a huge security hole open for root-kits on other hosted sites on the server.

To do this, I’ve decided to use the Apache suexec option for all my scripts. I won’t go into specific details about the setup here, but present a pretty solution to an annoying problem that arises when using suexec and applying software updates for the Apache server.

If your web files are located in /var/www, you won’t need this. For security reasons, suexec is compiled with various configuration options that can’t be changed runtime – the “safe” location of scripts is one of them. If you – like me – have your web files located somewhere else, you’ll need to recompile suexec and re-install it every time you upgrade Apache. If you decide to get the entire source code tree for Apache, just for this, you’ll find yourself in a mess that could easily be avoided.

Here is my solution: Since the suexec source files themselves rarely change, I picked out exactly the files needed to compile the suexec binary and simplified the Makefile. This way, I’ve got a very small directory with the files required to build my suexec with my own configuration options, without messing with the rest of the Apache source code. As long as I remember to run make install after updating Apache, it’s all good.

First of all, you need to set up a directory for the suexec files:

Now make the changes you need to suexec.h and write a suitable Makefile:

You’ll need the apr-devel and httpd-devel packages for this to work. Remember that you need to indent with tabs in makefiles. Run make install to install:

If you’re running php-cgi and getting http error 500, your suexec probably needs to be re-installed. Remember to check the suexec logfile.

Uncategorized Apache, CentOS, SuEXEC

I’ve always had trouble understanding exactly why I would get a million .rpmnew files after updating my servers, especially when those files were exactly identical to their original counterparts. Luckily there seems to be a solution – the yum-merge-conf plugin!

I updated my CentOS 5.2 to 5.3 by running yum --merge-conf, and after downloading and updating, yum asked me what it should do about the new configuration files – kindly sparing me the identical ones:

I chose install the package’s version for everything I know I didn’t mess with, and do the default RPM action (keep local version) for the ones I had been tweaking.

Now, isn’t that cool?

Uncategorized CentOS, Linux, RPM, Yum

My Firefox recently suffered from aggressive dementia, and forgot all the tweaks and add-ons I had applied. Good plugins are hard to find, so here’s the list of the ones I use:

• Adblock Plus – no more ads
• iMacros – automate repetitive tasks in Firefox
• Firebug – website development tools (debugging etc.)
• Pixel Perfect – Firebug extension that helps you get your site pixel perfect
• Web Developer – offers all kinds of neat web developer tools (cookie management, cache on/off, CSS help etc.)

Enjoy

Uncategorized Firefox

Found this one over at michaelhoney.com – a bookmarklet that directs you to the root of whatever site you’re currently browsing. Just drag it to your bookmark bar:

Goto root

Uncategorized Bookmarklet, Firefox

I’m using several SSL-enabled sites daily, and since browsers traditionally refuse to cache anything negotiated through an SSL connection on disk, performance has a tendency to suffer. I notice this every time I visit Fogbugz, and I have to wait for my browser to load all the neat little icons they use. Fortunately, according to James Henstridge, it’s possible to make Firefox 3+ cache these files now.

Basically he suggests to go to about:config and change the setting browser.cache.disk_cache_ssl to true. There have been issues prior to Firefox 2, but these should be fixed in Firefox 3.

If you’re running a webserver, adding the header value Cache-Control: Public will allow most browsers to automatically cache server files. If you’re paranoid, you should only add this header to scripts, images and stylesheets. Here is an example for Apache that allows browsers to cache a selected fileset for up to one week:

Uncategorized Apache, Caching, Performance, SSL, WWW

.. has the database table definitions from hell! Just take a look at this:

+--------------+--------------+------+-----+---------+----------------+
| Field        | Type         | Null | Key | Default | Extra          |
+--------------+--------------+------+-----+---------+----------------+
| id           | mediumint(9) | NO   | PRI | NULL    | auto_increment |
| date         | text         | YES  |     | NULL    |                |
| time         | text         | YES  |     | NULL    |                |
| ip           | text         | YES  |     | NULL    |                |
| urlrequested | text         | YES  |     | NULL    |                |
| agent        | text         | YES  |     | NULL    |                |
| referrer     | text         | YES  |     | NULL    |                |
| search       | text         | YES  |     | NULL    |                |
| nation       | text         | YES  |     | NULL    |                |
| os           | text         | YES  |     | NULL    |                |
| browser      | text         | YES  |     | NULL    |                |
| searchengine | text         | YES  |     | NULL    |                |
| spider       | text         | YES  |     | NULL    |                |
| feed         | text         | YES  |     | NULL    |                |
| user         | text         | YES  |     | NULL    |                |
| timestamp    | text         | YES  |     | NULL    |                |
+--------------+--------------+------+-----+---------+----------------+

This is horrible database design, and since this table quickly grows in size, this is something to be fixed immediately:

If you’re using MySQL 5+, you might consider changing the VARCHAR(255) definitions to VARCHAR(1024).

The new definition looks like this:

+--------------+------------------+------+-----+---------+----------------+
| Field        | Type             | Null | Key | Default | Extra          |
+--------------+------------------+------+-----+---------+----------------+
| id           | mediumint(9)     | NO   | PRI | NULL    | auto_increment |
| date         | varchar(8)       | YES  |     | NULL    |                |
| time         | varchar(8)       | YES  |     | NULL    |                |
| ip           | varchar(16)      | YES  |     | NULL    |                |
| urlrequested | varchar(255)     | YES  |     | NULL    |                |
| agent        | varchar(255)     | YES  |     | NULL    |                |
| referrer     | varchar(255)     | YES  |     | NULL    |                |
| search       | varchar(255)     | YES  |     | NULL    |                |
| nation       | varchar(8)       | YES  |     | NULL    |                |
| os           | varchar(64)      | YES  |     | NULL    |                |
| browser      | varchar(255)     | YES  |     | NULL    |                |
| searchengine | varchar(64)      | YES  |     | NULL    |                |
| spider       | varchar(64)      | YES  |     | NULL    |                |
| feed         | varchar(255)     | YES  |     | NULL    |                |
| user         | varchar(32)      | YES  |     | NULL    |                |
| timestamp    | int(10) unsigned | YES  |     | NULL    |                |
+--------------+------------------+------+-----+---------+----------------+

You won’t believe this, but they didn’t add any indexes. To prevent your system from going into a coma when doing household on hit data, add at least an index on date:

Uncategorized

As a website developer, I unfortunately need to test everything in Microsoft’s dreaded Internet Explorer. For this, I’ve got a Windows XP running on an installation of VMware® Workstation on my Linux desktop. It works like a charm, except when the kernel is updated.

Aside from being a website developer, I’m also a paranoid system administrator. One of the first thing I add to my login scripts, is umask 077 – the command that sets the permission mask for newly created files. Setting this to 077 prevents anyone but the current user from being granted any rights – read, write or execution. It’s a sane thing to do, but unfortunately a lot of scripts fail to explicitly grant access to other users, especially when installing RPM packages or – in this case – running VMWare after a kernel upgrade to build new VMWare-specific kernel modules.

In this specific case, VMWare kernel modules were built by the root user, and ended up in /lib/modules/2.6.27.19-170.2.35.fc10.x86_64/misc/ which was created by the build process. Read permissions were not explicitly granted to everyone, so when running vmware as a mortal user, it was unable to actually read and verify the newly built kernel modules. The natural response to the user wasn’t “Unable to read kernel module files”, but instead “You need to build kernel modules for your specific kernel”. Makes a lot of sense, eh?

Manually granting read and execution rights on the /misc directory and the files in it fixed the issue.

Uncategorized Fedora, Linux, Paranoia, VMWare

After having been a employer sponsored free-hosting initiative, Spind.net has now officially become a part of my own company. During the next weeks, domains, e-mail and websites will be relocated to our new servers at Leaseweb’s environmentally aware EvoSwitch facility in Amsterdam.

We’re currently leasing a couple of entry level servers, and we’ve named them after one of the two first big accomplishments in space history: the first orbiting satellite, the Russian Sputnik-1 and the first spaceship bringing a human being – Yuri “Kedr” Gagarin – into space, the Russian Vostok 3KA.

Uncategorized

I rarely need a Java plugin for my 64-bit Firefox browser, but once in a rare while I need to use certain government services that require a digital signature and the original Sun Java plugin – OpenJDK just doesn’t cut it. Sun changed a couple of things recently, so many of the howto’s are outdated – this will work though:

Make sure you remove/disable OpenJDK:

Get the latest Java SE Runtime Environment (JRE) here. Make sure it’s the 64-bit non-RPM version. The RPM might work too, I just didn’t test it. We’ll assume it’s version 1.6.0-12. Execute the following commands to unpack it:

Accept the license agreement. The directory jre1.6.0_12 is created. Execute the following commands to move JRE and make a symbolic link to the plugin:

The new thing here is that they recently renamed the plugin from libjavaplugin_oji.so to libnpjp2.so – that set me off track for a while.

Restart Firefox and type in about:plugins and look for Java – if it’s there, you’re all set.

Uncategorized 64bit, Fedora, Fedora10, Firefox, Java, Sun

This is just an easy one-liner to install the Danish language pack for OpenOffice.org in recent versions of Fedora Linux:

Uncategorized Danish, Fedora, Linux, Locale, OpenOffice.org