Version 1.36.1
Released: 2010-09-08
new
backup/restore apache owned filescreate a list of apache owned files, and reset them as such after a backup is restored. Excessive checks for symbolic and hard links, and other trickery.
This will be enabled by default, set to 1 internally.
To disable it, set:
backup_apache_files_list=0
in the directadmin.conf, and restart DA.
This setting also applies to the restores, both backup and restores will work with the apache owned files if this is enabled (set to 1).
The file in the backups will be stored in the path:
backup/apache_owned_files.list
The format is relative below the /home/user/domains directory, so if:
/home/user/domains/domain.com/public_html/file.php
is chowned to apache before the backup, the path in the apache_owned_files.list will look like:
domain.com/public_html/file.php
one entry per line.
Although I went to great lengths to optimize this code as much as it can be optimized, all files and directories below the domains are checked during the backup.
This will slow down the process.
For restores, each line of the apache_owned files is checked for about 6 different things, ranging from file ownership, links in the path, hard links at the file, symbolic links, path syntax, etc..
These checks will also slow things down, but are required to maintain security.
If you're not worried about security and mainly use apache owned files.. you can disable this option in the directadmin.conf file.
Note that both the backup system and restore system need to be 1.36.1 or newer for this to work.
The apache_owned_files.list is a config file, one entry per line, with the values U, UG or G after the file.
This specifies if the ownership should be apache:user, apache:apache or user:apache when restored.
If you notice any files that are not being chowned to apache as you were expecting, run the dataskq in debug mode level 100.
Level 100 is where the errors for these checks are set at.
./dataskq d100
new
translate internal ftp texttranslate internal ftp.txt
new
Ability to skip mysql in User backupsGlobal directadmin.conf option to skip mysql in User Backups. Would apply to all Backup Levels. (except 'System Backup' which is a different system)
To enable this skip, add:
skip_databases_in_backups=1
to your directadmin.conf file, and restart DirectAdmin.
The internal default value is set to 0, which includes the databases in the backup.
new
Bandwidth only tally: action=bandwidthtally&value=allCustom task.queue command for only computing bandwidth and count totals.
Same idea as action=quotatally, except for bandwidth.
command:
echo "action=bandwidthtally&value=all" >> /usr/local/directadmin/data/task.queue
You can also run action=bandwidthtally&value=user&type=username for a per-user bandwidth-only tally.
new
Allow SNI for shared IP SSL certificateshttps://forum.directadmin.com/showthread.php?p=184073
Default:
enable_ssl_sni=0
but if you want to allow ssl certificates to be added to shared IPs, set:
enable_ssl_sni=1
Enabling sni will simply disable the check for owned IPs when adding certificates.
DirectAdmin does not make any special changes to allow SNI to work.
Also, if a User account has more than 1 IP in his user_ip.list file, the check for the main domain for SSL will be disabled. This is because he could have 2 IPs for ssl, both valid (either owned IPs or with sni enabled) thus there isn't much point in enforcing the main domain to be the only domain for ssl under a User account.
Related apache document:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Reported:
CentOS 5 and Debian 5 come with versions of OpenSSL that do not support SNI.
Updating to a newer OS, like CentOS 6 would likely be required.
As of May 2015, we're guessing about 95% of client browsers support SNI.
However, this means that 5% of people who connect will get SSL errors.
The 5% would be browsers that are very old, like IE with windows XP.
Openssl version 0.9.8j should have the SNI compile flag enabled by default, but it's not guaranteed that it's actually enabled for your given libraries.
new
Option to skip ftp uploads if backup creation failsBy default, DA will upload a tar.gz file, even if some portion of the tar.gz was not created correctly. For example, if mysql was down and the sql file didn't get correctly dumped, by default, the tar.gz will still be uploaded to the backup server.
This option allows the admin to not upload tar.gz backups if they don't want incomplete data.
The default options is 0
To skip the ftp upload, set:
skip_ftp_on_backup_fail=1
in your directadmin.conf, and restart DA.
IMPORTANT
this only works for incremental ftp uploads (which 99% of people should be using anyway, as incremental ftp uploads are enabled by default)
incremental_ftp=1
** If you are not using incremental ftp uploads (incremental_ftp=0), this setting will not have any effect.
The reason is that with the group ftp upload, where the upload is done at the end, after creating all tar.gz files, DA only knows if there was an error.. but not for which User. Thus this option will not have any effect (I decided not to make it prevent all backups from being uploaded, if one tar.gz creation failed)
new
Give warning about deleting Users when removing Resellers and AdminsWhen deleting an Admin or Reseller, any User accounts created by those accounts will be removed. This change simply provides a warning to the administrator telling them how many User accounts that will be deleted as a result of their action.
Text (the number changes depending on how many Users will be removed):
*** WARNING ***
You are deleting Admin or Reseller accounts that have 1 Users under their control.
If you proceed, these User accounts, which are not listed here, will also be removed.
This will be displayed on the confirmation screen before deleting the accounts.
If there are 0 hidden Users to be deleted, then no warning will be shown. (Eg: if the Reseller controls no Users below him)
new
Extra option for mysqldump callsIf you need to insert extra command line bits to the mysqldump call, you can now add this value to your directadmin.conf file:
extra_mysqldump_options=--what-you-want
The default is set to null internally, so you must add the above line to use it.
The option is appended to the tail end of the mysqldump command, but before the name of the database.
eg:
extra_mysqldump_options=--skip-add-locks --skip-lock-tables
extra_mysqldump_options=--routines
June 12, 2014:
Report of mixing MyISAM and InnoDB tables can cause confusing lock issues:
http://stackoverflow.com/questions/9315032/application-hangs-on-16gb-innodb-mysqldump-using-single-transaction-quick
Try and stick with one table type in your database to avoid confusion.
new
Added 'top' output to load checkerRelated to:
This addition will dump out the 30 first lines from "top" if the load checker message is triggered.
The new token in the load_check_message.txt template is called |TOP|
This should aid in determining what process was causing the high load.
fixed
awstats doesn't compute last day of monthhttps://forum.directadmin.com/showthread.php?p=158044&posted=1#post158044
if day=1, take date for day-1.
-month and -year must be passed.
Changes in the awstats_process.sh:
BD='-builddate=%YY%MM'
DAY=`date +%e`
if [ "$DAY" -eq 1 ]; then
YYMM=`date --date='yesterday' +%y%m`
BD="-builddate=$YYMM"
fi
#-lang=en
/usr/bin/perl ${AWSTATS}/tools/awstats_buildstaticpages.pl -config=${DOMAIN} -configdir=${DATA_DIR} -update -diricons=icon -awstatsprog=${AWSTATS}/cgi-bin/awstats.pl -dir=${STATS_DIR} $BD
RET=$?
if [ "$DAY" -eq 1 ]; then
MAIN_FILE=awstats.${DOMAIN}.\`date --date='yesterday' +%y%m\`.html
else
MAIN_FILE=awstats.${DOMAIN}.\`date +%y%m\`.html
fi
fixed
security with ~/.shadowimproved checking when working on ~/.shadow
Bug Report Courtesy of webhostsecurity.com
fixed
Create non-jailed command for awstats viewing in DAAs of 1.36.0, the awstats icon directory has been linked to:
icon -> /usr/local/awstats/wwwroot/icon
This will save 2 meg of space, per domain.
When viewing your stats through apache, you'll see everything normally.
When viewing through DA, because it's jailed, the icons will not show up.
This fix is to add a custom command for awstats:
CMD_AWSTATS
such that it can view the icons outside of the jail (likely simply won't jail it, but will have very specific path checks to ensure it's safe)
Note the jail is only skipped if the icons directory is in the path, the icons directory is a directory link, and that link points to:
/usr/local/awstats/wwwroot/icon
If any of the above is not true, the chroot will not be skipped.
A workaround would be to remove the link in:
/usr/local/directadmin/scripts/awstats_process.sh
find:
if [ ! -h $ICON ]; then
rm -rf $ICON
ln -sf ${AWSTATS}/wwwroot/icon $ICON
fi
Replace it with:
if \[ -h $ICON \]; then
rm -f $ICON
cp -Rp ${AWSTATS}/wwwroot/icon ${STATS_DIR}
fi
where you'd remove the ! character before the -h, remove the r from -rf, and remove the ln line.
fixed
move check of /usr/local/bin/php into install.shThe php binary check is currently at the end of the setup.sh. If the install fails (the setup.sh calls install.sh), the reason the install failed will be displayed in the output of the install.sh, but the tail end of the setup.sh will still be run, thus the check for php is done anyway, which is pointless if the install.sh abort happened before the php binary compile was even attempted.
The fix (to avoid confusion) is to add the php check to the end of the install.sh, such that if the install.sh aborts for a particular reason, the last message seen will be the actual error, and not the redundant php check.
fixed
replace chown with lchownWe usually don't want to follow links when setting ownership on a file, so we've swapped chown with lchown.
As well, for all configfile and listfile class writes (almost all data files), an fchmod is run after the fopen is called to create the temp file. This is to set the temp file to 600, instead of letting the system decide what it should be. After the temp file is filled, it's renamed to the original and chmod to whatever it's set to be normally.
fixed
Check directory for links before installing FrontpageFor anyone who still uses Frontpage, it's been end-of-life for about half a decade. We don't recommend it's use for production systems.
For those who still need to use it, we've added more checks to try and make it more secure by traversing the public_html directory looking for links (hard or symbolic) before running the frontpage installer. stats and awstats links are ignored.
fixed
ipswap.sh didn\'t swap new multi-ip filesUpdate ipswap.sh to swap the user_ip.list and domains/domain.com.ip_list files.
The new User loop in the ipswap.sh looks like this:
ULDDU=/usr/local/directadmin/data/users
for i in \`ls $ULDDU/users\`; do
{
if \[ ! -d $ULDDU/$i \]; then
continue;
fi
swapfile $ULDDU/$i/user.conf
swapfile $ULDDU/$i/httpd.conf
if \[ -e $ULDDU/$i/ip.list \]; then
swapfile $ULDDU/$i/ip.list
fi
swapfile $ULDDU/$i/user_ip.list
for j in \`ls $ULDDU/$i/domains/*.conf; ls $ULDDU/$i/domains/*.ftp; ls $ULDDU/$i/domains/*.ip_list\`; do
{
swapfile $j
};
done;
};
done;
fixed
Fixed path to gunzip on for mysql restoresPreviously, the gz files were extracted with /usr/bin/gunzip.
On non-FreeBSD systems, the path should be /bin/gunzip.
This was resolved in the code with some #ifdef calls to check the OS, and setting some #define calls for the true gunzip path.
Also a check for this file is done first to ensure it's actually there, or it will throw an error.
fixed
Mysql Backup for mysql 4.0 systemsRelated to this previous fix:
myslqdump: use --create-options instead of soon to be depreciated --all
It introduced issues for old mysql 4.0 systems.
This new fix checks the mysqld version.
If it's mysql 4.0, then --all will be used.
If it's anything else, then --create-options will be used in the mysqldumps.
fixed
ftp users not removed when moving between shared and owned IPsIf you're changing the IP of a User from an owned to shared, or vice versa, the ftp accounts will be left in the previous ftp password file. This fix removes them from the previous file. If moving from owned to shared, the ftp.passwd is simply emptied since an account which isn't on an owned IP won't have any accounts.
fixed
Update html for hardcoded data in filemanager to use correct syntax (SKINS)This change won't change much for most people. It mainly only applies to people who have script parsers on the hardcoded data in the skins.
Old:
<img ... >
<input ... >
value=text
class=list
etc..
New:
<img ... />
<input ... />
value="text" or value='text'
class='list'
etc..
The changes were made mainly only for the filemanager (because it is chrooted and cannot be parsed/modified), however some of the changes made there are in global classes, so for example, all dynamic tables in DA will also be updated with these syntax changes.
fixed
Ensure random passwords are generated with upper and lower case characters (SKINS)A previous fix ensured there are numbers in the random passwords.
This change to the javascript.html will ensure that in addition to numbers, random passwords also have upper and lower case digits, something the difficult_password_enforcement option requires.
SKINS:
javascript.html:
function has_lower_case(pass)
{
var num_count = 0;
for (i=0; i<pass.length; i++)
{
ch=pass.charAt(i);
if ('a' <= ch && ch <= 'z')
{
num_count++;
}
}
return num_count;
}
function has_upper_case(pass)
{
var num_count = 0;
for (i=0; i<pass.length; i++)
{
ch=pass.charAt(i);
if ('A' <= ch && ch <= 'Z')
{
num_count++;
}
}
return num_count;
}
and in the random_pass() function:
if (!has_number(pass) || !has_lower_case(pass) || !has_upper_case(pass))
fixed
database_user_create_post.sh wasn\'t being calledRelated: custom scripts for databases
The database_create_post.sh script was in place of the database_user_create_post.sh script. Corrected it so database_user_create_post.sh is called for user creation, and database_create_post.sh is called for database creation.