Archive for December, 2009

PHP as a CGI script with suexec

For hosts running PHP as a CGI script with suexec you may be able to put these directives in a php.ini file in your website root directory.

upload_max_filesize = 10M
post_max_size = 20M

Add the below to your .htaccess file in your web root directory.

php_value upload_max_filesize 10M
php_value post_max_size 20M

The PHP documentation states that the memory_limit setting also affects file uploading.
Generally speaking, memory_limit should be larger than post_max_size.

Depending on your host, this can be done in a number of places with the most likely being php.ini or .htaccess depending on your hosting situation.

Add for example:

memory_limit = 16M to your php.ini file (recommended, if you have access)

With root access, you can use the sed util in Linux/Unix based systems, in order to increace the memory for 64M. Don’t forget to properly locate you php.ini file!

sed -i ’s/memory_limit = 16M/memory_limit = 64M/’ /etc/php5/apache2/php.ini

How to downgrade from apache 2 back to apache 1.3

If you need to go back to apache 1.3 after installing apache 2, you’ll need to do the following:

1) Restore the old httpd.conf file:

cp -f /etc/httpd/conf/httpd.conf.1.3.backup /etc/httpd/conf/httpd.conf

2) Get DirectAdmin to use the old httpd.conf files for the users. Edit the /usr/local/directadmin/conf/directadmin.conf file and change apache_ver=2.0 to apache_ver=1.3. Also, if you were using custombuild, and are going back to customapache, the apache_conf value needs to be reset to:

apacheconf=/etc/httpd/conf/httpd.conf

Then type

echo “action=rewrite&value=ips” >> /usr/local/directadmin/data/task.queue
echo “action=rewrite&value=httpd” >> /usr/local/directadmin/data/task.queue
echo “action=directadmin&value=restart” >> /usr/local/directadmin/data/task.queue

3) Now you can recompile apache 1.3

rm -f /usr/lib/apache/*
cd /usr/local/directadmin/customapache
./build clean
./build all

4) Fix the modules link:

cd /etc/httpd
rm -f modules
ln -s /usr/lib/apache modules

5) Restore the old boot script:

cp -f /usr/local/directadmin/customapache/httpd /etc/init.d/httpd
chmod 755 /etc/init.d/httpd
/etc/init.d/httpd restart

Source : http://directadmin.com/

.htaccess Hotlink protection for files on your server.

You can stop others from hotlinking your site’s files by placing a file called .htaccess in your Apache site root (main) directory. The period before the name means the file is hidden.

Example: Your site url is www.mysite.com. To stop hotlinking of your images from other sites and display a replacement image called nohotlink.jpe placed in your images directory, place this code in your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/blockhotlink.jpe [L]

The first line of the above code begins the rewrite. The second line matches any requests from your own mysite.com url. The [NC] code means “No Case”, meaning match the url regardless of being in upper or lower case letters. The third line means allow empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png. This is then replaced by the blockhotlink.jpe file in your images directory. This JPEG image is using the extension jpe instead of jpg to prevent blocking your own replacement image.

mount your /tmp partition with the noexec,nosuid options, and mount the /home partition with the nosuid option.

t install time, the easiest thing to do is to mount your /tmp partition with the noexec,nosuid options, and mount the /home partition with the nosuid option. This is done in your /etc/fstab and requires those paths to exist as partitions, and not just as subdirectories of /. If you’re unsure, type:

mount

To get a listing of your partitions and their current mounting options. Use google for more information on these mounting options. Be very careful when editing your /etc/fstab, as any errors could prevent your system from starting up. Note that you must not have “nosuid,noexec” for / or /usr, as those partitions have suid binaries normally (su, passwd, etc).

Edit the fstab file vi /etc/fstab and change it depending on your needs. For example:

/dev/sda11 /tmp ext2 defaults 1 2
/dev/sda6 /home ext2 defaults 1 2

To read:

/dev/sda11 /tmp ext2 defaults,rw,nosuid,nodev,noexec 1 2
/dev/sda6 /home ext2 defaults,rw,nosuid,nodev 1 2

nosuid, Meaning do not allow set-user-identifier or set-group-identifier bits to take effect, nodev, do not interpret character or block special devices on this file system partition, noexec, do not allow execution of any binaries on the mounted file system.

SBDavid

Control mounting a file system

Control mounting a file system

You can have more control on mounting a file system like /home and /tmp partitions with some nifty options like noexec, nodev, and nosuid. This can be setup in the /etc/fstab text file. The fstab file contains descriptive information about the various file systems mount options; each line addresses one file system.

Details regarding to security options in the fstab text are:

defaults: Allow everything quota, read-write, and suid on this partition.
noquota: Do not set users quotas on this partition.
nosuid: Do not set SUID/SGID access on this partition.
nodev: Do not set character or special devices access on this partition.
noexec: Do not set execution of any binaries on this partition.
quota: Allow users quotas on this partition.
ro: Allow read-only on this partition.
rw: Allow read-write on this partition.
suid: Allow SUID/SGID access on this partition.

More information can be found in the mount(8) man pages

« Prev - Next »