Often times these scripts provide documentation geared towards basic LAMP (Linux, Apache, MySQL, PHP) setups with regular mod_php. The documentation suggests that certain directories and files should be set to world writable (i.e. 777 or 666.) Often times the PHP files that are part of this script are distributed with the executable permission of 755.

On a modern server running suPHP (common with cPanel servers) Apache does not use mod_php and scripts are not executed by the ‘apache’ or ‘nobody’ user. Instead suPHP will be used and the PHP process will run as the user that the file belongs to. For security purposes there are several considerations, which are true regardless of the script’s documentation:

• The files and directories should be owned to the proper user that they belong to. If the username is ‘robert’ the files should be owned and grouped to robert.
• The files and directories should NOT be owned to ‘root’, ‘nobody’ or ‘apache’.
• All directories should be set to permission level of 0755 and all files should be set to permission level of 0644.
• You should NOT have any world writable files or directories with permission levels such as 0777, 0666, 0770, 0660, etc…
• Your PHP script files (.php) should not be executable, such as 0755.

If you follow the above instructions. You won’t have any problems. Here is a sample of an incorrect setup:

root@server [~]# cd /home/robert/public_html/
root@server [/home/robert/public_html]# ll
total 196
drwxr-x---. 23 robert nobody   4096 Nov 12  2011 ./
drwx--x--x. 14 robert robert  4096 Mar 26  2012 ../
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 blocks/
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 config/
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 css/
-rw-rw-rw-.  1 robert robert    42 Jan  6  2011 index.php
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 js/
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 languages/
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 libraries/
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 models/
drwxrwxrwx. 13 robert robert  4096 Mar 26  2012 packages/
-rw-rw-rw-.  1 robert robert   347 Jan  6  2011 robots.txt
-rw-rw-rw-.  1 robert robert  2467 Mar  6  2012 sitemap.xml
drwxrwxrwx.  2 robert robert  4096 Jan  6  2011 themes/
root@server [/home/robert/public_html]#

As you can see the permissions are all wrong. The index.php is 666, the directories are all 777. What a mess, this won’t ever work on suPHP! At least they’re all owned to the proper user (‘robert’).

You could go through each directory and fix permissions, but we have a quicker way to do this via two bash one liners:

root@server [~]# cd /home/robert/public_html/
root@server [/home/robert/public_html]# find -type f | while read LINE; do chmod -v 644 $LINE; done
root@server [/home/robert/public_html]# find -type d | grep -v '^\.$' | while read LINE; do chmod -v 755 $LINE; done

This will change all the files inside the current directory structure (and sub-directories) to be mode 644. The second command will change each directory in the current directory (and sub-directories) to be mode 755. Make sure you’re in the proper directory, if you’re not you might change permissions on stuff you didn’t mean to, like the whole OS>

Many admins try using the myisamchk tool from shell in an attempt to repair the MYI files. This may or may not work. I generally don’t recommend it as a primary means to a repair, especially if you are going to continue running mysqld and attempting to use the crashed tables.

First you will want to identify weather or not tables are marked as crashed. This will be evident in the mysqld log file, typically in /var/lib/mysql, /var/log/, /var/log/mysql or possibly another location depending on your my.cnf. You should look for messages like:

130422 17:43:34 [ERROR] /usr/sbin/mysqld: Incorrect key file for table './socialforum/wp_posts.MYI'; try to repair it
130422 17:43:47 [ERROR] /usr/sbin/mysqld: Incorrect key file for table './socialforum/wp_options.MYI'; try to repair it

Alternatively you can also look at table status via the mysql CLI.

So now that we know we have indeed experienced corruption, we need to do something about it. If you have just one corrupt table you could fix it via the mysql CLI like so:

root@server [/var/lib/mysql]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1691
Server version: 5.0.96-community-log MySQL Community Edition (GPL)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> REPAIR TABLE socialforum.wp_posts;
+-------------------------+--------+----------+----------+
| Table                   | Op     | Msg_type | Msg_text |
+-------------------------+--------+----------+----------+
| socialforum.wp_posts    | repair | status   | OK       | 
+-------------------------+--------+----------+----------+
1 row in set (0.00 sec)

mysql> exit
Bye
root@server [/var/lib/mysql]#

That should repair the table and stop the errors. However, what if you have a TON of tables, let’s say hundreds across several databases? What do we do then? We can’t just sit around entering each repair command manually. No way!

What we will do instead is cycle through each MyISAM table across all database and repair those tables via a bash script.

First you will want to ‘cd’ into your mysql directory that has all the databases. Typically it’s /var/lib/mysql:

root@server [~]# cd /var/lib/mysql
root@server [/var/lib/mysql]#

Now let’s run this one-liner, note that it finds all the files, greps for MYI (indicating a MyISAM table) figures out the db name ($1) and table name ($2). I recommend first removing the while loop at the end and making sure that each statement makes sense before running it with the while loop:

find . | grep MYI | cut -d / -f 2,3 | cut -d . -f 1 | awk -F "/" '{print "REPAIR TABLE " $1 "." $2 ";"}' | while read LINE; do mysql -e "$LINE"; done

Note it may take a while to run especially with very large tables. However once finished you will be error free. Make sure you have enough disk space for the repair, if you had corruption due to running out of disk space you need to free space first before repairing.

First you will need the IPMI Configuration utility. I got a copy for windows (32-bit and 64-bit) here:

Download IPMICFG-Windows.exe

Unzip your download and place either the 32-bit, 64-bit, or both directories somewhere accessible to you from a command prompt. I’m using 64-bit so I just copied that directory. Boot up the Administrator command prompt and ‘cd’ into the appropriate directory.

Once there, here are the commands we’re going to run:

C:\Users\Administrator\Desktop\64bit>IPMICFG-Windows.exe -fd
Reset to the factory default completed.
C:\Users\Administrator\Desktop\64bit>IPMICFG-Windows.exe -dhcp off
Successfully disable DHCP.
C:\Users\Administrator\Desktop\64bit>IPMICFG-Windows.exe -m x.x.x.x
IP=x.x.x.x
C:\Users\Administrator\Desktop\64bit>IPMICFG-Windows.exe -k 255.255.255.xxx
Subnet Mask=255.255.255.x
C:\Users\Administrator\Desktop\64bit>IPMICFG-Windows.exe -g x.x.x.x
Gatway=x.x.x.x

Obviously you will need to specify the correct IP adress, subnet mask and gateway. The application will echo back the result to you. It’s important you turn DHCP off if you are going to use a static IP. Otherwise just leave DHCP on, and reset it to default with the first command and pass it the empty ‘m’ flag to see the current IP from DHCP.

Once your IPMI is online you should be able to login to it via the default username and password of ADMIN. Once logged in as the ‘ADMIN’ user, you will want to change your password, because ‘ADMIN’ is not a secure password. Do so from the configuration menu.

Without cPanel your choices for suPHP on CentOS are either using RPMForge or building it from source. I personally don’t like having the standard repos, plus EPEL, plus RPMForge, so I typically will keep EPEL and opt for installing the other stuff from source in an effort to keep updates from conflicting. So let’s do it from source.

I’m assuming you already have apache running, perhaps with mod_php. If not go ahead and install it from yum and configure it to your liking. Set? Let’s go!

First let’s grab a copy of the latest suPHP and unpack it: suPHP.org

cd /root/
wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
tar xvzpf suphp-0.7.1.tar.gz

You will want to make sure you have all the compilers and developer tools needed to build stuff from source. We are assuming you have httpd installed and do NOT have php built from source, so we will make sure php is installed as well as httpd development tools:

yum groupinstall "Development Tools"
yum install php php-devel php-mysql apr-devel httpd-devel

Now let’s build this sucker and throw it into /opt/suphp:

cd /root/suphp-0.7.1
./configure '--prefix=/opt/suphp' '--sysconfdir=/opt/suphp/etc' '--with-apr=/usr/bin/apr-1-config' '--with-apxs=/usr/sbin/apxs' '--with-apache-user=apache' '--with-setid-mode=owner' '--with-php=/usr/bin/php-cgi' '--with-logfile=/var/log/httpd/suphp_log' '--enable-SUPHP_USE_USERGROUP=yes'
make
make install

If there were no errors through that entire process, you’re almost there. You will now find that mod_suphp.so has been installed in /usr/lib64/httpd/modules/mod_suphp.so (assuming you’re on x86_64.)

We must now modify the file /etc/httpd/conf.d/php.conf, clear it out and make it looks like so:

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule suphp_module modules/mod_suphp.so

suPHP_Engine on
AddType application/x-httpd-suphp .php5 .php .php3 .php2 .phtml
<Directory />
    suPHP_AddHandler application/x-httpd-suphp
</Directory>


DirectoryIndex index.php

So for a final step let’s make a new directory and write a suphp.conf file:

mkdir /opt/suphp/etc
nano -w /opt/suphp/etc/suphp.conf

Setup the suphp.conf file as follows:

[global]
logfile=/var/log/httpd/suphp.log
loglevel=info
webserver_user=apache
docroot=/
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
check_vhost_docroot=true
errors_to_browser=false
env_path=/bin:/usr/bin
umask=0077
min_uid=100
min_gid=100

[handlers]
application/x-httpd-suphp="php:/usr/bin/php-cgi"
x-suphp-cgi="execute:!self"

Now you can restart Apache with the changes you made:

service httpd restart

If there were no errors displayed, you did well.

If you wish to test within your vhost that suphp is indeed working, try setting up a php script with the following content, place it in the webroot (i.e. public_html) and own it to the proper user (ie. ‘mywebuser’):

<?php
	exec("touch /home/mywebuser/public_html/omg.txt");
	echo exec("ls -al /home/mywebuser/public_html/omg.txt");
?>

When you visit that page it should create a file called omg.txt and show you that it’s owned by the ‘mywebuser’. This means that PHP ran as the proper user. You can also debug and see which user stuff runs as via the /var/log/httpd/suphp.log

Have fun!

You will definitely win some friends with your awk skills, but probably not too many women .

I recently had to add a large volume of users to a database. Each user would need a username, password, and their full name entered into the database. I was only given their first and last name. There was no interface to use in order to register these users, hence why the project fell to me.

Like any good admin, I didn’t feel like writing queries and entering made up passwords by hand. AWK came to the rescue. Here is what I was given:

[root@secure ~]# cat /tmp/test
Napoleon Ravelo
Nella Faucher
Mira Penrose
Jeanmarie Hadfield
Earnest Chillemi
Gloria Grays
Nila Carvajal
Edie Higuchi
Alfredo Baskerville
Hildegarde Bent
Bryanna Faunce
Garnett Godsey
Christene Topping
Trenton Conti
Tereasa Noell
Lara Rudnick
Lonnie Ells
Renata Brogden
Latrisha Bara
Yuonne Granado
[root@secure~]#

I decided I would use awk’s variable functionality along with /dev/urandom and tr to generate unique passwords for each user, for security. Furthermore I used the awk tolower and substr functions to generate usernames. I wanted something like:

Latrisha Bra, ojSkl32Fjk213, lbra

But in a query format. I decided to go ahead and make my dirty awk script along with a bash while loop to generate some queries!

[root@secure~]# cat /tmp/test | while read LINE; do echo $LINE | awk -v pass=`cat /dev/urandom |tr -cd "[:alnum:]" | head -c ${1:-18}` '{print "INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('"'"'" $1 " " $2 "'"'"'" ",md5('"'"'" pass "'"'"')," "'"'"'" tolower(substr($1,0,1)) tolower($2)"'"'"'" ",4,0,1);"}'; done
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Napoleon Ravelo',md5('bxZwqeZRs13udaifeG'),'nravelo',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Nella Faucher',md5('dXFxcg57IhFvYhweQ8'),'nfaucher',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Mira Penrose',md5('bB1ZZIZILctCbJOl3w'),'mpenrose',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Jeanmarie Hadfield',md5('uo4jfydvHAx8nRKeIt'),'jhadfield',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Earnest Chillemi',md5('x5ePNOKHfbzefT0peS'),'echillemi',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Gloria Grays',md5('h0GNUNQKVx7N0OTRQZ'),'ggrays',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Nila Carvajal',md5('p8D0epKBtiw465boYR'),'ncarvajal',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Edie Higuchi',md5('oqMx0RAbvoW7uhQgGk'),'ehiguchi',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Alfredo Baskerville',md5('9yB6EANilg1MxPMoec'),'abaskerville',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Hildegarde Bent',md5('yqyjy7GTXcIXS1YKRM'),'hbent',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Bryanna Faunce',md5('tXNxf3uuY8I3wrgh6B'),'bfaunce',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Garnett Godsey',md5('HBqNV7b8bODo6HXGOb'),'ggodsey',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Christene Topping',md5('fD0TSAxFLRNkqcqTR5'),'ctopping',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Trenton Conti',md5('lcp1BaQQBmPlvvWpaM'),'tconti',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Tereasa Noell',md5('7NNSYf3lbh0ZLOFTQt'),'tnoell',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Lara Rudnick',md5('BXuuSHRmZXKpY4h2B7'),'lrudnick',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Lonnie Ells',md5('fsIG0n7MoagoHshV2H'),'lells',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Renata Brogden',md5('aFZGu0LzjjDurpxd10'),'rbrogden',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Latrisha Bara',md5('KQQvumZBdrWAqN0ZzP'),'lbara',4,0,1);
INSERT IGNORE personnel(fullname,password,username,company,admin,valid) VALUES('Yuonne Granado',md5('to6eCOFhJ6CS9Eav4K'),'ygranado',4,0,1);
[root@secure ~]# 

Here is the full dirty one-liner broken down into steps:

cat /tmp/test | while read LINE; # Start our loop
do echo $LINE | # Echo each line into a pipe
# Call awk and define a password variable
# the password variable uses /dev/urandom
# and tr to generate a password, we use
# head to get 18 characters only.
awk -v pass=`cat /dev/urandom |tr -cd "[:alnum:]" | head -c ${1:-18}`
# Now we start printing the query:
'{print "INSERT IGNORE personnel(fullname,password,username,company,admin,valid)
# Now we start adding the query variables:
VALUES('"'"'" $1 " " $2 "'"'"'" ",md5('"'"'" pass "'"'"')," "'"'"'" 
# We need to make the username variable now
# we use tolower and substr to make it the
# first letter of their first name and their
# last name:
tolower(substr($1,0,1)) tolower($2)"'"'"'" ",4,0,1);"}';
done # End the loop

And this is why we should all know awk. The sample list I used here was only 20 names, imagine if it were thousands or tens of thousands, there is no way it could have been done by hand, and the awk script was quicker to make than writing a perl or php script to do the same thing. It took just a few minutes .

Oct 13 06:32:01 secure crond[4558]: CRON (clients) ERROR: failed to open PAM security session: Protocol not supported
Oct 13 06:32:01 secure crond[4558]: CRON (clients) ERROR: cannot set security context

I’ve never seen the error before. I dug around in various PAM and related security configs, but didn’t see any issues. I then wanted to run the cron manually via the user, and tried to sudo down into the user’s account.

[root@secure~]# sudo su - clients
Too many logins for 'clients'.
could not open session
[root@secure~]#

There is the problem! Cron can’t run because two techs were logged into the ‘clients’ user account and it was being limited. In this case I decided to bump the limit to 5 users. Here is what I did:

[root@secure~]# nano -w /etc/security/limits.conf

Now I added the following line:

clients	hard	maxlogins	5

The crons were now running, problem solved.

Installing ZFS RAID-Z on CentOS 6.2 with SSD Caching

apple
orange
peach
pear
strawberry
grape
lemon
lime

What if you wanted to pick a random entry? The easiest solution is to use the ‘shuf’ tool, which is standard on CentOS as part of coreutils.

shuf -n 1 list.txt

The output would be a random line from our file!

Installing ZFS RAID-Z on CentOS 6.2 with SSD Caching

root # yum update
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   No module named cElementTree

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.4.3 (#1, May  5 2011, 16:39:10) 
[GCC 4.1.2 20080704 (Red Hat 4.1.2-50)]

If you cannot solve this problem yourself, please go to 
the yum faq at:

http://wiki.linux.duke.edu/YumFaq

root #

The fix was actually pretty simple, you have an incorrect version of python-elementtree installed. You will need to get the proper version from the CentOS mirror (for your version of CentOS). Here is what I did for CentOS 5.7 on x86_64:

wget http://mirrors.usc.edu/pub/linux/distributions/centos/5.7/os/x86_64/CentOS/python-elementtree-1.2.6-5.x86_64.rpm
rpm -Uvh --oldpackage python-elementtree-1.2.6-5.x86_64.rpm

After that yum worked just fine! Note, if you’re still having trouble check /etc/redhat-release for your current version of CentOS and uname -a for your architecture type.