Apache upgraded to 2.4 and more..

Today I upgraded our Apache (what’s used to make your web pages be seen on the internet) version to the 2.4 series (was the 2.2 series before). With this upgrade should come performance improvements so you should see your web pages load a bit faster now. For an in depth look at what’s new take a look at: http://httpd.apache.org/docs/current/new_features_2_4.html

An important note for all users who are running an RoR application, apache 2.4 is adding the index file name from the DirectoryIndex directive to the URI, so if rails is in production mode this shows up as a 404 error causing cpanel’s/apache’s redirect/rewrite to not work making your application not show up. To fix this you must add the following to your “.htaccess” file in your “/public_html” folder:

DirectoryIndex disabled

Other minor news is that PHP was also updated to the latest 5.4 minor version, which is not that exciting. The next major update should be updating PHP to version 5.5 but it was made available to cPanel only a few days ago so I’m going to give it some time to mature and fix any bugs that come up.

PHP update: 5.3.2 to 5.3.3

Just a notice to all users that the server’s PHP version has been updated from version 5.3.2 to version 5.3.3.

Changes include:

Security Enhancements and Fixes in PHP 5.3.3:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
  • Fixed a possible resource destruction issues in shm_put_var().
  • Fixed a possible information leak because of interruption of XOR operator.
  • Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
  • Fixed a possible memory corruption in ArrayObject::uasort().
  • Fixed a possible memory corruption in parse_str().
  • Fixed a possible memory corruption in pack().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed a possible memory corruption in addcslashes().
  • Fixed a possible stack exhaustion inside fnmatch().
  • Fixed a possible dechunking filter buffer overflow.
  • Fixed a possible arbitrary memory access inside sqlite extension.
  • Fixed string format validation inside phar extension.
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
  • Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

  • Upgraded bundled sqlite to version
  • Upgraded bundled PCRE to version 8.02.
  • Added FastCGI Process Manager (FPM) SAPI.
  • Added stream filter support to mcrypt extension.
  • Added full_special_chars filter to ext/filter.
  • Fixed a possible crash because of recursive GC invocation.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
  • Fixed bug #52001 (Memory allocation problems after using variable variables).
  • Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
  • Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

For a full list of changes in PHP 5.3.3, see the ChangeLog.

How to use PECL with /tmp mounted with “noexec”

The situation here is that you run a server and when trying to install a PHP module via PECL you receive the “checking whether the C compiler works… configure: error: cannot run C compiled programs.” error followed by the build failing.

The problem is that PECL is trying to write and run the files its trying to build in your /tmp directory, but your /tmp directory is mounted with “noexec” so the files can not be executed. What you will see will look something like this:

Note: I’m building APC on a cPanel CentOS server.

$ pecl install apc
downloading APC-3.0.19.tgz ...
Starting to download APC-3.0.19.tgz (115,735 bytes)
.........done: 115,735 bytes
47 source files, building
running: phpize
Configuring for:
PHP Api Version:         20090626
Zend Module Api No:      20090626
Zend Extension Api No:   220090626
Use apxs to set compile flags (if using APC with Apache)? [yes] : yes
building in /var/tmp/pear-build-root/APC-3.0.19
running: /root/tmp/pear/APC/configure --with-apxs
checking for egrep... grep -E
checking for a sed that does not truncate output... /bin/sed
checking for cc... cc
checking for C compiler default output file name... a.out
checking whether the C compiler works... configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details.
ERROR: `/root/tmp/pear/APC/configure --with-apxs' failed

One solution out there is to unmount then remount /tmp without ‘noexec’ when trying to build via pecl, but this method opens up a security hole in the server for the time you have it mounted without ‘noexec’. The next method is to build the module yourself using the typical “phpize”, “./configure” then “make install”. This method is better then the first but this one is just a workaround for the problem making you unable to use PECL and still makes you od much more work then you have to with PECL.

My solution to this seems to be the most simple, and easiest one of the bunch. All you have to do is create a symlink from where PECL wants to save and run the files to somewhere where it can run them, in this case /root/tmp, with the following command:

$ mkdir /root/tmp/pear-build-root && ln -s /root/tmp/pear-build-root /tmp/

After running that command (as root or other super user) retry installing your module via PECL and it should now work without issue.

Automatically install DomainKeys on new accounts in cPanel

DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. cPanel supports this but the feature is disabled by default on new accounts. If you want to make it easy on your users and enable this automatically you just need to add a few lines to your postwwwacct file.

The following code runs the domain_keys_installer script at then end of a new account creation, thus enabling DomainsKeys for all new accounts.

Create (if not already there) /scripts/postwwwacct then copy and past the following code into the file:

$opts = array();
$argv0 = array_shift($argv);

while(count($argv)) {
 $key = array_shift($argv);
 $value = array_shift($argv);
 $opts[$key] = $value;
shell_exec("/usr/local/cpanel/bin/domain_keys_installer " . $opts['user']);

DomainsKeys will now be installed on all new accounts you create.

Automatically exclude backing up new accounts in cPanel

cPanel is setup so is that if automatic backups are enabled in WHM then every new account will be added to the backup list. If you’re picky about which accounts you want the be backed up and don’t want to manually exclude the accounts upon creation, you can use this method.

What the following code does is writes the username of the account currently being created to the system’s /etc/cpbackup-userskip.conf file to be excluded from backups.

Create (if not already there) /scripts/postwwwacct then copy and past the following code into the file:

$opts = array();
$argv0 = array_shift($argv);

while(count($argv)) {
 $key = array_shift($argv);
 $value = array_shift($argv);
 $opts[$key] = $value;

$fp = fopen('/etc/cpbackup-userskip.conf','a');

All new accounts will now be excluded from the backup list!