Couple of questions

Virtualmin
1

Hi, just a couple of questions if you don’t mind:

(Bear in mind, I’m running the GPL version and I have installed webmin after already setting up my server via yum)

  • What does this mean: “Subdirectory for mailbox user home directories” – It’s set to “homes” but is just an empty dir in all my accounts. The mailbox is in “mail” (configured)

  • In virtualmin I can go to virtual server options > document options and see a list of “directory options” (execute CGI programs, etc). This is set to “default”. Where can I edit this default? I don’t find this anywhere else.

  • I don’t need CGi, so i disabled loadmodule mod_actions in apache (amongst other things), but if I then recheck the virtualmin configuration, it complains about that.

"The Apache module mod_actions is either not installed or not enabled.â

2

you can setup the gpl version to use suexec and mod_fcgid. instructions are in this forum somewhere.
this is highly secure and will create the folders in /home/user that is the /tmp, /etc folder, and in there the /php folder.

if you really want to run mod_php then you would create those additional folders with files in /etc/skel, it then gets copied into the new servers.

some basic security in the php.ini could be:

disable_functions = show_source, system, exec, shell_exec, passthru, popen, proc_open, ini_restore, symlink

or if you wanna go wild:

Disabled Functions: exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open, ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error, socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create, socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen, socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block, socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write, stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space, disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl, leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec, posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount, posix_mkfifo,putenv,sleep
3
What does this mean: "Subdirectory for mailbox user home directories" -- It's set to "homes" but is just an empty dir in all my accounts. The mailbox is in "mail" (configured)

You haven’t configured your MDA (mail delivery agent…procmail, the built-in Postfix MDA, whatever) to deliver to Maildir style spools. We recommedn Maildir, and that’s what our install script sets up for you.

In virtualmin I can go to virtual server options > document options and see a list of "directory options" (execute CGI programs, etc). This is set to "default". Where can I edit this default? I don't find this anywhere else.

You can edit everything that goes into the Apache VirtualHost section in Server Templates in the "Apache website" section.

When in doubt, look in Server Templates. Almost all of the flexibility of Virtualmin is tucked into Server Templates somewhere.

I don't need CGi, so i disabled loadmodule mod_actions in apache (amongst other things), but if I then recheck the virtualmin configuration, it complains about that.

mod_actions allows CGI-type actions in response to non-CGI looking requests. Virtualmin does so many things that rely on this behavior that it checks for it. In your case, it probably isn’t strictly needed, but Virtualmin hasn’t really taken into account the “I don’t want to run CGI scripts ever under any circumstances” user, since I don’t think we’ve ever met one. :wink:

I believe you’ll have to live with mod_actions being in place, or disabling it after the config check each time. It’s harmless, if you never use any directives that would invoke it. Presumably you’re not giving your users htaccess privileges, anyway, so you’d be the only person capable of triggering its use.

If we run into others who also want to not use any CGI, then I guess we’ll think on adding the ability to disable this check. But it’s extremely rare these days to have websites without applications of some sort.

I read that a tmp dir is supposed to be created for each user upon account creation by virtualmin, but with me that is not the case.

As ronald mentioned, in Virtualmin GPL you have to set this up for yourself. In Virtualmin Professional, we provide mod_fcgid and all of the bits and pieces to make everything work smoothly.

But, you’re not running any CGI scripts, how could you possibly make use of per-user /tmp files? (You’re asking for two completely opposing capabilities here: no mod_actions, which is required for per-user PHP configurations, along with per-user /tmp files.)

It now becomes apparent that you actually do need mod_actions.

Am I supposed to put something in /etc/skel? This is an empty dir on my system. I suppose I also need to add the phpadmin directives in a server template?

Server Templates is where all the magic happens. So, probably so. I don’t know what you’re trying to do, though.

I'm not using phpsuexec or anything like that. Is openbasedir enough protection? (Together with disable_functions en loading of dynamic modules in apache, etc.)

No. Nothing short of suexec makes PHP safe for untrusted users. I’d suggest you setup mod_fcgid and suexec the way I’ve documented it a couple of times here in the forums. If you can’t find it via site search (click “Support” in the bottom menu), let me know and I’ll dig it up for you.

I want the tmp dir in /tmp/username/ -- is this possible to configure automatically? This dir needs to be created beforehand.

No. Put tmp in /home/domainname/tmp. Makes no sense to put it into system-wide /tmp–everything for users (except databases, for technical reasons) goes into /home/domainname. As ronald mentioned, you can add this to whatever skel directory you have configured for use for virtual servers.

4

Thanks for the detailed replies :slight_smile:

About mod_action, well, if I run php under mod_php then I don’t need any CGI. Its not a contradiction.

About the /tmp dir, I want it in /tmp because I have set that to noexec, nosuid… If I use open_basedir I can keep everyone in their own folder, for sessions, etc. I don’t see what the difference is than having it in your home dir?

Also, if you’re using phpsuexec, how much slower does that make php / apache? I’m running webmin on my own personal dedicated server, so all accounts are mine. However, I do want to protect myself for when someone hacks one of my sites, he does not get access to all others.

Why isn’t open_basedir enough? (If I disable all CGI, perl etc won’t be able to be executed so PHP is the only scripting language that can be used, so open_basedir will always be respected)

Thanks for that list of disable_functions too :slight_smile:

About that "homes" dir, I do have a maildir for each user, and mail works fine? Is there something I have yet to do?

5
About mod_action, well, if I run php under mod_php then I don't need any CGI. Its not a contradiction.

I believe it is, if you want per-user tmp dirs, but I’m in no way claiming to be a PHP expert.

About the /tmp dir, I want it in /tmp because I have set that to noexec, nosuid.. If I use open_basedir I can keep everyone in their own folder, for sessions, etc. I don't see what the difference is than having it in your home dir?

I have no idea. But, Virtualmin won’t create anything in /tmp for you.

Also, if you're using phpsuexec, how much slower does that make php / apache?[/qoute]

I don’t know. I’ve never used phpsuexec. We use, and I recommended, mod_fcgid+suexec, which is roughly the same performance as mod_php (faster for some things, slightly slower for most).

[quote]Why isn’t open_basedir enough? (If I disable all CGI, perl etc won’t be able to be executed so PHP is the only scripting language that can be used, so open_basedir will always be respected)

I dunno. I’ve frequently been told by folks who know PHP far better than I do (again, I know very little about PHP) that none of the built-in security features of PHP are sufficient on a system with untrusted users, and that suexec is the best choice. I understand suexec quite well, so I trust it. I don’t understand open_basedir, so I don’t trust it. If you understand it, and trust it, then I won’t argue with you. :wink:

But, don’t be intimidate by using suexec and mod_fcgid. They are extremely easy to configure. If you’re just trying to avoid it because you think it’s hard to setup, don’t let that stop you.

About that "homes" dir, I do have a maildir for each user, and mail works fine? Is there something I have yet to do?

As I mentioned, if you didn’t use our install script, you will have to configure your MDA to deliver to Maildir. It is not the default behavior of procmail or postfix. (I’m assuming you didn’t use our automated install script, since it would have setup Maildir for you.)

6

Argh. I’m too sleepy for posting. The formatting got messy on that one… Sorry. (And the forum is still broken for editing posts, so I can’t fix it. Oh, well.)

7

No worries :slight_smile:

Could you direct me to the article to install fcgid?

I looked at this: http://www.virtualmin.com/forums/blue-skies/take-ownership-of-user-folder.html which points to this repo: http://software.virtualmin.com/gpl/centos/5/x86_64/?C=M;O=D

What do I need to download from there?

Be aware that I have previously installed apache, php, etc via standard yum repositories. I did not use the webmin install.sh – not sure if that’s a problem?

8

You can install fcgid by logging in via SSH, and typing:

yum install mod_fcgid

Also, the install.sh normally handles installing the Apache related packages (there’s lots of things that the installer normally takes care of :slight_smile: – but you’ll want to make sure you have the httpd* and mod_ssl packages from Virtualmin installed as well rather than the standard ones from your distro.
-Eric

9

yum install mod_fcgid doesn’t seem to work. Also tried apache2-mod_fcgid

[root@server ~]# yum install mod_fcgid
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile

Btw, I installed webmin via RPM, did that not execute the install.sh? I had already yum installed httpd etc beforehand… But did not know that there was an install.sh

10

This is centos btw.

11

you will need to add the virtualmin repo to /etc/yum.repos.d so it can install the package.

12

No, the install.sh pulls in Webmin, but not vice-versa. The Webmin RPM is simply the Webmin package – install.sh installs and configures the entire Virtualmin stack (which happens to include the Webmin package).

It looks like you’re missing the Virtualmin yum repository from your config (which install.sh sets up for you :slight_smile:

I don’t have a CentOS box with Virtualmin handy so I can’t offer an example, but you’d either need to setup that yum repository (in /etc/yum.repos.d), or manually download those packages from the Virtualmin repo.

You can download them for now, though ultimately you’d want to have the yum repo setup so ensure you get security updates.
-Eric

13

i got a centos box with GPL on it.
in that directory is a file called virtualmin.repo
that file contains this:

[virtualmin] name=Red Hat Enterprise $releasever - $basearch - Virtualmin baseurl=http://software.virtualmin.com/gpl/rhel/$releasever/$basearch/ enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin gpgcheck=1

[virtualmin-universal]
name=Virtualmin Distribution Neutral
baseurl=http://software.virtualmin.com/gpl/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

14

I am currently using webmin with virtualmin as a module . i did not know there was an install script at the time because it is not mentioned on webmin.com – perhaps this should be added? because i would have used that for sure if I had known.

And because i’m running gpl version, can I still use your repos? What is it anyway, can’t find it?

If i use the install script now, will it keep my original settings or not?

thanks for all the help you guys are giving to someone who just uses the free version, don’t see that much! :slight_smile:

15

oh, ok, you’ve just added the file.

will this mean that all my software will now get updates from virtualmin? eg centos uses older (more stable) apache and php versions, but do you too?

16

Yeah, running the installer now would be bad :slight_smile:

But it’s no problem to use the GPL repo as Ronald posted above – they have a number of packages that’ll work just fine on your system.
-Eric

17

Just tried it, get this error when installing:

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size

Installing:
mod_fcgid x86_64 2.2-1.el5.vm virtualmin 124 k

Transaction Summary

Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 124 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a0bdbcf9

GPG key retrieval failed: [Errno 5] OSError: [Errno 2] No such file or directory: ‘/etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin’

18

oh yeah i notice now that’s because of your config file. Can you tell me the location of the gpg key so I can rpm --import it (assuming that is correct)

19

Never mind, found it, assuming this is it:

http://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin

just installed fcgid and that worked so now off to see how to configure it :slight_smile: I’ll be back in this thread i’m sure… :slight_smile:

20

thats the location
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin

the name of the file:
RPM-GPG-KEY-virtualmin

this is whats in it:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBELR2DcRBACD0l3xYWb6c1whtnrKcPVQGW7AGDYy/PEHhUSsY7Qwg5CoYziS
FSkqXQPhe4P1FqHjvOpZHNfOdC3pSdTgZZYw/DIik3T5NvYbwp+z9GxxIUE9kkt/
uztb75q/QW7mMy9TJHdK883QC3G47nxGXTnO0p6GaTcHBrF/htR/oLXZ/wCgz4dt
PKGcShiWOUzZ6mIBSl2PHWkD/iY/+OFa6Va5igra0SXQjNxqG/L6prsUlWtqMAVq
wjv5UXVCwjBLHl5OUtEz2ky6TgxXOxLsk2p9g9CdZizkhBnLiECXTvnJl5nuwBuz
YGoijbVx/86amUhHupyQp4QvwopI8U3306SWak3eoNRXNkt/pdJ0WZ+WPsVtZXj/
1Za3A/9aWS9Rj0YvfzT4/DljQvmHNWutLgKuORYY6HQp8i/ZIlPokkf5Sa4qpbCS
CU1kiFLRoLbooar1TPhGjusmDn2Re3OxZncHKXPokbNZ1yjiDUd0E0b0Di/ZtVo9
ODCbJxZd2ONvJwI6ZaM8wKTpRYz+ltryOZ2+orPzivo5ClShLbQqVmlydHVhbG1p
biwgSW5jLiA8c2VjdXJpdHlAdmlydHVhbG1pbi5jb20+iF4EExECAB4FAkLR2DcC
GwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQ6N0/oKC9vPlIOgCgoxnWKxwADLGt
5KmVyxISwlvR3sEAn0/iNUd3/hKWurPnoY58zyrTaCrXuQINBELR2EQQCAD7PZNM
QoVPBZrEjVpIz4nL/QJeJpmOKQXs/mHtIZfCz0tAp/q+rqI+kM/ALXsFpkKQwG0K
ExWddzL1qlabozb3BR/7ZHAhBQAfIGsC6HY00d/BXA+T2l5RrbkZ7ijDVeN8jRTD
JkMzNY7+PboqxgSKrQUom3zgO9LZ7sh8o7BP9wIDf71YQq1PvdFaz8FnFp6Kp9NM
EnW3jQe1VmaHZ32HQ2gk39n/Ihabewy4A7yKqi6uNgukn+7fOrFl4i2VA5+euWe8
bCzQutcdMkjSIEQkKzLPLN2v55kQdVtnG89eunwMO7+o8VdbWtN1W5KYeRm+xHOG
o9xZFuhtr1MlJSuTAAMFCADgm2QHNsR4gD0N00cVXp/s38vfG/Cygy7+/RbO8lhL
mkUVfeG7DWP5x51y7bgQ2hvO169ql0W+GbDj7aG7ZsUY6cXN1Z+ExPTF7T0gMEUy
tld1dypyzKZqPLMfdFVg4aiE2W9uecj597nYUGrmG7nYnT3/FyC0ouE8KlIGm/iC
m41GpktYG0H5ed8yhcB+6cUB/2pkneeJIOcKVTp12kB3zcGBtVmD0ITDOmKf4I5W
TWa1qkyPu1ljFcnVURMQMZoeiJZ03U13TjIWALPUjvfH1k28OAObKj7ljWwRo50P
qvHbYtShiH5/OiMidFVO2E0p9LdWuJ4bSHoKCFCNvOtuiEkEGBECAAkFAkLR2EQC
GwwACgkQ6N0/oKC9vPnIEACgjmNJTUFRok6U/AZ/KIOAbKVuY44An0K4VDHVlWp3
TC+VEV9c7jCjeH3P
=5DLX
-----END PGP PUBLIC KEY BLOCK-----