PDA

View Full Version : Disable perl & cgi


Suurbier
06-15-2011, 04:51 AM
I can't figure out how to disable cgi and perl for DA.


#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.

ServerRoot "/etc/httpd"
Listen 80

#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf

User apache
Group apache

ServerAdmin admin@localhost
DocumentRoot "/var/www/html"

<Directory /home/*>
AllowOverride All
Options -MultiViews -Indexes FollowSymlinks IncludesNoExec +Includes
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

<Directory />
Options All
AllowOverride All
</Directory>

<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
</Directory>

<IfModule dir_module>
DirectoryIndex index.html index.htm index.shtml index.php index.php5 index.php4 index.php3 index.phtml index.cgi
</IfModule>

<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

ErrorLog /var/log/httpd/error_log
LogLevel warn

<IfModule log_config_module>
#replace %b with %O for more accurate logging
<IfModule mod_logio.c>
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%O %I" bytes

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog /var/log/httpd/access_log common
</IfModule>

<IfModule alias_module>
# Include some DirectAdmin alias
Include conf/extra/httpd-alias.conf
</IfModule>

<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

DefaultType text/plain

<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-gzip .tgz
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler cgi-script .cgi
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType video/x-ms-asf .avi
AddType video/mpeg .mpg
AddType video/mpeg .mpeg
AddType video/quicktime .mov
AddType video/x-ms-wmv .wmv
</IfModule>

#EnableMMAP off
#EnableSendfile off

#######################################################################################
# Do not change anything in included files, because they are rewritten by DirectAdmin #
#######################################################################################

# This is needed for PHP
Include conf/extra/httpd-php-handlers.conf

# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf

# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
Include conf/extra/httpd-info.conf

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

# Deflate module settings
Include conf/extra/httpd-deflate.conf

# All the DirectAdmin vhosts
Include conf/extra/directadmin-vhosts.conf

# All suPHP directives
Include conf/extra/httpd-suphp.conf

# For user configurations not maintained by DirectAdmin. Empty by default.
Include conf/extra/httpd-includes.conf

#######################################################################################
# End of included files that are rewritten by DirectAdmin #
#######################################################################################

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>


How do i disable perl & cgi?
scsi
06-15-2011, 06:06 AM
chmod 750 /usr/bin/perl
chmod 750 /usr/local/bin/perl

Remove the loadmodule lines in /etc/httpd/conf/httpd.conf
SeLLeRoNe
06-15-2011, 06:18 AM
I would ask something about change perl permission.

I did today to 754 (and in past to 750) but this brake majordomo maling list.

Have you ever had problem using majordomo with those permission?

Regards
Suurbier
06-15-2011, 09:10 AM
Is the chmod trick proven? I am a little bit afraid it would kill other applications like exim? etc.

What line do i need to remove?

<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-gzip .tgz
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler cgi-script .cgi
The last line?

how do i disable mod_perl and mod_cgi?
scsi
06-15-2011, 10:01 AM
It looks like mod_cgi is compiled into the httpd binary itself so then you would have to recompile apache with the added line --disable-cgi in configure.apache



cd /usr/local/directadmin/custombuild
./build update
./build clean
mkdir -p custom/ap2
cp -rfp configure/ap2/configure.apache custom/ap2
perl -pi -e 's/\"--enable-so\" \\/\"--enable-so\" \\\n\t\"--disable-cgi\" \\/' custom/ap2/configure.apache
./build apache n
nobaloney
06-15-2011, 01:27 PM
I would ask something about change perl permission.

I did today to 754 (and in past to 750) but this brake majordomo maling list.

Have you ever had problem using majordomo with those permission?
It won't run if it needs to run as a user. Majoromo uses perl.

Jeff
scsi
06-16-2011, 05:42 AM
Yeah you would probably have to make a secure access group and set that group as the group of the perl binary and then put every user you wish to be able to use perl in that group.
SeLLeRoNe
06-16-2011, 06:02 AM
you mean the directadmin access group? If yes, doesnt every user get automatically insert in that group?

If you mean a different group so ok :) lets call it majouser :D

Regards
scsi
06-17-2011, 06:38 AM
No I mean a seperate group...putting every user in the group would defeat the purpose of trying to lock it down.

Something like:



groupadd perlgroup
chgrp perlgroup /usr/bin/perl


For all the users you want to be able to access perl:


useradd -G perlgroup <username>
SeLLeRoNe
06-17-2011, 06:43 AM
Oh ok, so i had understand well ^^

Thanks a lot for command lines example.

Regards
SeLLeRoNe
06-17-2011, 06:55 AM
Just a notice.

useradd is for non-existing users.

Would be better


/usr/sbin/usermod -a -G perlgroup <username>

Regards
SeLLeRoNe
06-17-2011, 07:00 AM
Seems to dont work


pipe to |/etc/virtual/majordomo/wrapper resend -C /etc/virtual/domain.eu/majordomo/majordomo.cf -l comitati -h domain.eu -f owner-comitati comitati-out@domain.eu
generated by comitati@domain.eu

Im going to try change wrapper owner so..