Allen Brooker (AllenJB) » Gentoo

Beware of warnings about default Apache2 config for PHP

AllenJB — Tue, 31 Aug 2010 06:50:24 +0000

Planet PHP recently popped up a post by Ilia with a warning about the configuration of PHP using AddHandler instead of AddType.

Now I’m all for people publshing warnings about security issues, but they really should at least read the official documentation to check their information first.

In this case, to summarise the documentation:

AddHandler is used for server-side content handling – it associates a handler with the specified content
AddType is used for determining the Content-Type in relation to the client request (ie. the default Content-Type identified to the browser)
BOTH obey multiple extensions, but a response can only have one Content-Type while a file can be handled by multiple Handlers.

This means that while, when using AddType, “test.php.gif” no longer works, “test.php.something” will (assuming .something doesn’t have an associated Type), because .php is the last extension encountered which has an associated Type. So the so called “fix” doesn’t really fix the problem at all.

Additionally, when using AddType, instead of the default Content-Type being text/html, it becomes “application/x-httpd-php”, which is technically incorrect and may result in your website not being viewable in browsers or by search engine bots.

If you really want to make it so that only files ending with .php are handled by PHP, then you should use SetHandler instead of AddHandler. In fact, this is what the current official PHP documentation recommends.

Portage 2.2 and License Management

AllenJB — Wed, 18 Nov 2009 00:12:36 +0000

Portage 2.2 has recently introduced a new feature that allows users to select what licenses they want to allow on their install. The interface still needs some work (for example, Portage needs to explain when it has “ignored” packages due to license during updates) so that users don’t, for example, get confused as to why their system suddenly wants icedtea instead of sun-jdk. Other than these fairly minor issues, it seems to be working well so far.

There’s an article on Gentoo Wiki that explains this new feature from a users point of view and how to tailor it to your individual tastes.

Logwatch with Metalog

AllenJB — Mon, 09 Nov 2009 14:36:56 +0000

Just a heads up to say that I’ve finally discovered why logwatch doesn’t work with metalog-1 any more – some bright spark changed the default log format. On the up side, it’s configurable, so the configuration to change it back has been added to the guide I wrote on Gentoo Wiki

Attack of the 5 year old DST / run-crons bug!

AllenJB — Tue, 27 Oct 2009 23:42:39 +0000

So I noticed that when we switched off the abomination that is daylight savings this weekend just gone, my systems which run on “GB” time rather than “UTC” executed their cron scripts twice. This despite the fact that, at a glance, they should execute at (or shortly after) 03:01, which should be safe.

Turns out this isn’t quite the case. There’s a 5 year old bug in Gentoo’s Bugzilla about this known issue and it appears to be down to the way run-crons manages its lock / last run files. I’m already running a run-crons patched for recursive directory scanning on some of my systems, so it wasn’t that big a step to basically do away with Gentoo’s supplied script altogether.

Now I’m running “run-crons-in” – a much simplified script that simply relies on the cron daemon itself for timing (which is how it should be, in my opinion). Here’s my script:

#!/bin/bash
# 2009-10-27 Complete rewrite of run-crons
# This version is designed to be called using @hourly @daily @weekly or @monthly
# With, for example: run-crons-in daily
#
# This version assumes:
# - We don't care if a previous script is still running
# - The cron daemon handles all timing in a sensible manner
# - Therefore no locking is necessary

AJB_DEBUG=0
AJB_TIMES=1
AJB_PTIMES=1
AJB_TIMEFORMAT='%Y-%m-%d %T'
BASE=$1

AJB_STARTTIME="`date +\"${AJB_TIMEFORMAT}\"`"
[ $AJB_TIMES -eq 1 ] && echo "Start time: ${AJB_STARTTIME}"

run_recursive() {
        CRONDIR="$1"
        [ $AJB_DEBUG -eq 1 ] && echo "Executing cron scripts in directory: $CRONDIR"
        for SCRIPT in $CRONDIR/* ; do
                if [[ -x $SCRIPT && ! -d $SCRIPT ]]; then
                        [ $AJB_DEBUG -eq 1 ] && echo "Executing cron script: $SCRIPT"
                        AJB_PSTARTTIME="`date +\"${AJB_TIMEFORMAT}\"`"
                        [ $AJB_PTIMES -eq 1 ] && echo "Script start time: ${AJB_PSTARTTIME}"
                        $SCRIPT
                        AJB_PSTOPTIME="`date +\"${AJB_TIMEFORMAT}\"`"
                        [ $AJB_PTIMES -eq 1 ] && echo "Script stop time: ${AJB_PSTOPTIME}"
                fi

                if [[ -d $SCRIPT ]]; then
                        run_recursive $SCRIPT
                fi
        done
}

CRONDIR="/etc/cron.${BASE}"

test -d "$CRONDIR" || echo "Directory does not exist or is not a directory: ${CRONDIR}"
set +e
test -d "$CRONDIR" && run_recursive "$CRONDIR"

AJB_STOPTIME="`date +\"${AJB_TIMEFORMAT}\"`"
[ $AJB_TIMES -eq 1 ] && echo "End time: ${AJB_STOPTIME}"

As you can see, it’s fairly basic – altho I’ve added some extra output for timing and debugging, simply because I felt like it. I’m currently testing this long term to ensure it works as expected, but hopefully I’ll adopt this for all my systems within a couple of months.

The full /etc/crontab entries are now:

@hourly   root    /usr/local/sbin/run-crons-in hourly
@daily    root    /usr/local/sbin/run-crons-in daily
@weekly   root    /usr/local/sbin/run-crons-in weekly
@monthly  root    /usr/local/sbin/run-crons-in monthly

(Yes, I realize that, at least by the man page, those are all going to run at midnight, but daily is the only set of scripts that ever does anything really stressful on the system I’m currently testing on, and it’s a quad core, and I really don’t care otherwise I wouldn’t be testing cron daemons on it)

I’m also taking the opportunity to use cronie in place of vixie-cron. There’s little documentation for this project, but as far as I can see it’s a drop-in replacement for / fork of vixie-cron from redhat that’s actively maintained.

I did take a quick look at the other cron daemons in the portage tree, but cronie appears to be the only one that’s actively maintained.

Gentoo Wiki: New Guide: Logwatch with Metalog

AllenJB — Fri, 09 Oct 2009 11:46:35 +0000

I finally got around to configuring logwatch to work with metalog, and wrote up the process as a guide. You can find it over on Gentoo Wiki.

Gentoo & Trac: Post-commit magic

AllenJB — Fri, 28 Aug 2009 11:15:21 +0000

When using trac under Gentoo, the location of the pre-commit and post-commit scripts changes every version. In addition, I have multiple repositories. Together this makes for annoying maintainance every time I create a new repo or upgrade trac. The solution? Shell scripting magic:
# Repo path is in format: /home/allenjb/allenjb.me.uk/svn/ # Trac env path is in format: /home/allenjb/allenjb.me.uk/trac/ # PROJECT contains the name PROJECT=`echo ${REPOS} | cut -d "/" -f 6` TRAC_ENV="/home/allenjb/allenjb.me.uk/trac/${PROJECT}" # TRAC_VER contains the trac version TRAC_VER=`trac-admin --help | head -n 1 | sed -e 's/^$[^0-9]*$$.*$/\2/'`

/usr/bin/python /usr/share/doc/trac-${TRAC_VER}/contrib/trac-post-commit-hook -p "$TRAC_ENV" -r "$REV"