Post of site blogs "CloudLinux Inc." (www.cloudlinux.com)

Post of site blogs "CloudLinux Inc." (www.cloudlinux.com) Post of site blogs "CloudLinux Inc." (www.cloudlinux.com) http://www.cloudlinux.com en http://backend.userland.com/rss2 Thu, 17 May 2012 01:07:31 -0400 Igor Seletskiy: CageFS 3.2 Beta 7
Full list of changes in CageFS 3.2 Beta 7 (cagefs-3.2-21)

proxyexec/proxy.commands: added FormMail-clone.cgi, FormMail.cgi, FormMail.pl
cagefsctl: improved diagnostics of "nested" cagefs-skeleton directory
BUGFIX: proxyexec/cagefs.server.c: better ownership/permission handling
BUGFIX: cagefsctl: compare and copy all metadata (permissions, owner, group) during skeleton update
BUGFIX: RPM.spec (posttrans): copy (overwrite) proxyexec and bsock in cagefs-skeleton

cagefsctl: print warning for cPanel servers that have /usr/share/cagefs-skeleton symlinked to /home
cagefsctl: mount empty /usr/share/cagefs/.cagefs.empty directory over /opt/suphp/sbin
cagefsctl: --create-mp no longer adds /var/spool directory
cagefsctl: catch exceptions while calling os.kill in functions kill_cgroup_threads5, kill_cgroup_threads6
Added /etc/lynx.cfg, /etc/lynx-site.cfg to binutils.cfg
Added absolute paths for all the binaries in safebin wrappers
proxyexec: proxyexecd is now started in quiet mode
/var/cagefs is not created automatically by CageFS RPM install/update if it doesn't exist
plugins/create-htaccess.py: do not print "SecureLinks disabled. Exiting..." message when --silent option is specified

To update
# yum update cagefs --enablerepo=cloudlinux-updates-testing

To install
# yum install cagefs --enablerepo=cloudlinux-updates-testing

More...]]> http://www.cloudlinux.com/blog/clnews/cagefs-32-beta-6.php http://www.cloudlinux.com/blog/clnews/cagefs-32-beta-6.php Thu, 10 May 2012 11:25:56 -0400 Igor Seletskiy: Severe PHP vulnerability - CVE-2012-1823 Update [May 4, 2012 10:20am EST]: php 5.1 for CL5 released into beta repository

There is a severe PHP vulnerability that affects PHP execution via CGI:

"A flaw was found in the way the php-cgi executable processed command line
arguments when running in CGI mode. A remote attacker could send a
specially-crafted request to a PHP script that would result in the query string
being parsed by php-cgi as command line options and arguments. This could lead
to the disclosure of the script's source code or arbitrary code execution with
the privileges of the PHP interpreter."

This might also affect PHP running via suPHP and mod_fcgid.
RHEL is yet to update PHP package:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1823
We usually use security updates from upstream (RHEL), yet due to this delay, and the severity of the bug, we have released patched version of php5.3 for CL5 and CL6 with this bug fixed into our beta repository.

To deploy on CL5 (php53-5.3.3-5.el5.cloudlinux.1):
# yum update php53 --enablerepo=cloudlinux-updates-testing
To deploy on CL6 (php-5.3.3-3.el6_2.6.cloudlinux.1):
# yum update php --enablerepo=cloudlinux-updates-testing

To update PHP 5.1 on CL5 (php-5.1.6-32.el5.cloudlinux.1)
# yum update php --enablerepo=cloudlinux-updates-testing

Please, note that this packages are considered beta. We would appreciate feedback as soon as possible, so we can

This bug is especially important for Plesk installations, as it is common for Plesk to run PHP as CGI.
For people running PHP build from source (cPanel, DirectAdmin), or custom PHP packages (H-Sphere) -- you would need to wait for the vendor to fix the bug, and then deploy it.
More...]]> http://www.cloudlinux.com/blog/clnews/severe-php-vulnerability-cve20121823.php http://www.cloudlinux.com/blog/clnews/severe-php-vulnerability-cve20121823.php Fri, 04 May 2012 08:20:25 -0400 Igor Seletskiy: Meet us at WHD.india or WHD.asia
If you are yet to register, you can use following codes to register for free here: http://www.worldhostingdays.com/

WHD.asia: MG31VQU47
WHD.india: MG31VQT26
More...]]> http://www.cloudlinux.com/blog/clnews/meet-us-at-whdindia-or-whdasia.php http://www.cloudlinux.com/blog/clnews/meet-us-at-whdindia-or-whdasia.php Thu, 03 May 2012 10:52:04 -0400 Igor Seletskiy: New Beta Kernel for CloudLinux 5.x: 2.6.18-408.el5.lve0.8.61.1

Fix for kernel panic for systems with NFS
Fix for hung_task issue that affects some of the customers

To install:
# yum install kernel-2.6.18-408.el5.lve0.8.61.1 --enablerepo=cloudlinux-updates-testing

If you have PAE, xen or Enterprise kernel -- use corresponding prefix, like: kernel-PAE, kernel-xen, kernel-ent instead of kernel
More...]]> http://www.cloudlinux.com/blog/clnews/new-beta-kernel-for-cloudlinux-5x-2618408el5lve08611.php http://www.cloudlinux.com/blog/clnews/new-beta-kernel-for-cloudlinux-5x-2618408el5lve08611.php Thu, 03 May 2012 10:46:55 -0400 Igor Seletskiy: CageFS 3.2 Beta 5

Full list of changes in CageFS 3.2 Beta 5 (cagefs-3.2-13)
added imagemagick.cfg, php-extensions.cfg
cagefsctl: fix for symlinks handling in /usr/share/cagefs-skeleton
cagefsctl: make --update-list option verbose
jk_lib.py: better exception handling
securelve.spec: increased reqired cagefs_lve_version
plugins/*: fix for symlink for /usr/share/cagefs-skeleton (plugins for CPanel, Plesk, ISPManeger, DirectAdmin, Interworx)
jail.c: fix for symlink for /usr/share/cagefs-skeleton

No more securelve_sh shell.
- CageFS doesn't need any changes in /etc/passwd file, PAM module is used instead
- Any PAM enabled service is supported
  - Unpatched version of crond will be used
Multiple /etc/cagefs/conf.d/*.cfg files provide either to upgrade or change template configuration versus single securelve.cfg
cagefsctl --update will update all files and all users's etc directories. It will also remove unneeded files. No need to run securelve --init when template configuration changes are made.

When installing cagefs RPM, please remove securelve RPM first.
More...]]> http://www.cloudlinux.com/blog/clnews/shared-hosting-is-this-simple-eat-sleep-cagefs.php http://www.cloudlinux.com/blog/clnews/shared-hosting-is-this-simple-eat-sleep-cagefs.php Sat, 28 Apr 2012 17:43:26 -0400 Igor Seletskiy: PHP opcode caching and FCGID module in shared hosting When request comes in for PHP, mod_fcgid checks if there is idle php process available for that user. If there is none, it starts a new one (up to FCGIDMaxProcessesPerClass, default 100). The request is served, and php process becomes idle. Until next request comes in.

Lets now add opcode caching, like eAccelerator, APC or xCache. Opcode caching software saves opcode (php pre-compiled into "operation code" ) into shared memory. Next time it has to process same PHP file, PHP process would not compile php, using opcode from cache instead.That will significantly decreasing CPU usage, and improving performance.

PHP processes with opcode cache enabled use shared memory for opcode caching. Yet, PHP processes will be able to "share" that shared memory, only if they were all created (forked) from the same, original PHP process, that allocated that shared memory.

This is not the case with mod_fcgid, as each and every PHP process is started by mod_fcgid itself. As the result, they don't "share" shared memory. In this case. each PHP process has its own shared memory, amd no opcode is shared between processes.

So, if process A is responding for request for index.php, and process B is responding to request for index.php, each of them will store its own copy of opcode in its own cache.

Yet, on the second request for index.php to process A, that process can use cached opcode. Gven that single PHP process can process thousands of requests -- opcode caching is useful with mod_fcgid.

Yet, it basically means that each and every PHP process will maintain its own copy of opcode cache. And if you have 1000 php processes, with 256MB of shared memory set for opcode caching -- you are looking at ~256GB of RAM -- that might be in use (though probably most sites will not need to use all 256MB of RAM).

As the result -- it is not practical in shared hosting with mod_fcgid to allocate 256MB shared memory for opcache. Something like 8MB or 4MB would be much more practical.

Another thing to keep in mind is that shared memory size of opcode cache cannot be more then memory_limit in php.ini, as that value controls shared memory size as well.
More...]]> http://www.cloudlinux.com/blog/clnews/how-opcode-caching-works-with-modfcgid-in-shared-hosting.php http://www.cloudlinux.com/blog/clnews/how-opcode-caching-works-with-modfcgid-in-shared-hosting.php Wed, 25 Apr 2012 16:09:24 -0400 Igor Seletskiy: CageFS 3.2 Beta 4

Full list of changes in CageFS 3.2 Beta 3 (cagefs-3.2-12)

create-htaccess.py: create files only in specified paths
added config file securelinks.paths
removed *.htaccess config files
permissions 0700 and owner 'root' are used for /etc/cagefs and /var/cagefs directories
do not create .htaccess files in /var/cagefs directory
cagefsctl: added option --clean-var-cagefs
execute "cagefsctl --clean-var-cagefs" as cronjob
cagefsctl: remove /var/cagefs from skeleton if it exists
cagefsctl: update optimization (ignore MTIME and SIZE of symlinks, compare content)
cagefsctl --user-status=USERNAME returns true if cagefs is enabled for user
cagefsctl --cagefs-status returns true if cagefs is enabled
cagefsctl --update-list accepts list of files as input stream, one per line and updates those files in cagefs template

SecureLinks are disabled by default
Do not generate .htaccess files in /etc/skel, /root/cpanel3-skel, /usr/local/apache/htdocs
create-htaccess.py: added options --ignore-exlusions, --check-exclusions
added /usr/local/apache/htdocs to exclusions for SecureLinks
added /usr/bin/perl-bin to perl.cfg
added install_prekillaccnhook.sh
create-htaccess.py: do not fail while removing .htaccess when .htaccess file is empty
create-htaccess.py: read paths to home dirs of users from /var/cpanel/userdata