Version 1.36.1

Released: 2010-09-08

backup/restore apache owned files new

create a list of apache owned files, and reset them as such after a backup is restored. Excessive checks for symbolic and hard links, and other trickery.

This will be enabled by default, set to 1 internally.

To disable it, set:

backup_apache_files_list=0

in the directadmin.conf, and restart DA.

This setting also applies to the restores, both backup and restores will work with the apache owned files if this is enabled (set to 1).

The file in the backups will be stored in the path:

backup/apache_owned_files.list

The format is relative below the /home/user/domains directory, so if:

/home/user/domains/domain.com/public_html/file.php

is chowned to apache before the backup, the path in the apache_owned_files.list will look like:

domain.com/public_html/file.php

one entry per line.

Although I went to great lengths to optimize this code as much as it can be optimized, all files and directories below the domains are checked during the backup.

This will slow down the process.

For restores, each line of the apache_owned files is checked for about 6 different things, ranging from file ownership, links in the path, hard links at the file, symbolic links, path syntax, etc..

These checks will also slow things down, but are required to maintain security.

If you're not worried about security and mainly use apache owned files.. you can disable this option in the directadmin.conf file.

Note that both the backup system and restore system need to be 1.36.1 or newer for this to work.

The apache_owned_files.list is a config file, one entry per line, with the values U, UG or G after the file.

This specifies if the ownership should be apache:user, apache:apache or user:apache when restored.

If you notice any files that are not being chowned to apache as you were expecting, run the dataskq in debug mode level 100.

Level 100 is where the errors for these checks are set at.

./dataskq d100

translate internal ftp text new

translate internal ftp.txt

Ability to skip mysql in User backups new

Global directadmin.conf option to skip mysql in User Backups. Would apply to all Backup Levels. (except 'System Backup' which is a different system)

To enable this skip, add:

skip_databases_in_backups=1

to your directadmin.conf file, and restart DirectAdmin.

The internal default value is set to 0, which includes the databases in the backup.

Bandwidth only tally: action=bandwidthtally&value=all new

Custom task.queue command for only computing bandwidth and count totals.

Same idea as action=quotatally, except for bandwidth.

command:

echo "action=bandwidthtally&value=all" >> /usr/local/directadmin/data/task.queue

You can also run action=bandwidthtally&value=user&type=username for a per-user bandwidth-only tally.

Allow SNI for shared IP SSL certificates new

https://forum.directadmin.com/posts/184073

Default:

enable_ssl_sni=0

but if you want to allow ssl certificates to be added to shared IPs, set:

enable_ssl_sni=1

Enabling sni will simply disable the check for owned IPs when adding certificates.

DirectAdmin does not make any special changes to allow SNI to work.

Also, if a User account has more than 1 IP in his user_ip.list file, the check for the main domain for SSL will be disabled. This is because he could have 2 IPs for ssl, both valid (either owned IPs or with sni enabled) thus there isn't much point in enforcing the main domain to be the only domain for ssl under a User account.

Related apache document:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Reported:

CentOS 5 and Debian 5 come with versions of OpenSSL that do not support SNI.

Updating to a newer OS, like CentOS 6 would likely be required.

As of May 2015, we're guessing about 95% of client browsers support SNI.

However, this means that 5% of people who connect will get SSL errors.

The 5% would be browsers that are very old, like IE with windows XP.

Openssl version 0.9.8j should have the SNI compile flag enabled by default, but it's not guaranteed that it's actually enabled for your given libraries.

Option to skip ftp uploads if backup creation fails new

By default, DA will upload a tar.gz file, even if some portion of the tar.gz was not created correctly. For example, if mysql was down and the sql file didn't get correctly dumped, by default, the tar.gz will still be uploaded to the backup server.

This option allows the admin to not upload tar.gz backups if they don't want incomplete data.

The default options is 0

To skip the ftp upload, set:

skip_ftp_on_backup_fail=1

in your directadmin.conf, and restart DA.

IMPORTANT

this only works for incremental ftp uploads (which 99% of people should be using anyway, as incremental ftp uploads are enabled by default)

incremental_ftp=1

** If you are not using incremental ftp uploads (incremental_ftp=0), this setting will not have any effect.

The reason is that with the group ftp upload, where the upload is done at the end, after creating all tar.gz files, DA only knows if there was an error.. but not for which User. Thus this option will not have any effect (I decided not to make it prevent all backups from being uploaded, if one tar.gz creation failed)

Give warning about deleting Users when removing Resellers and Admins new

When deleting an Admin or Reseller, any User accounts created by those accounts will be removed. This change simply provides a warning to the administrator telling them how many User accounts that will be deleted as a result of their action.

Text (the number changes depending on how many Users will be removed):

*** WARNING ***

You are deleting Admin or Reseller accounts that have 1 Users under their control.

If you proceed, these User accounts, which are not listed here, will also be removed.

This will be displayed on the confirmation screen before deleting the accounts.

If there are 0 hidden Users to be deleted, then no warning will be shown. (Eg: if the Reseller controls no Users below him)

Extra option for mysqldump calls new

If you need to insert extra command line bits to the mysqldump call, you can now add this value to your directadmin.conf file:

extra_mysqldump_options=--what-you-want

The default is set to null internally, so you must add the above line to use it.

The option is appended to the tail end of the mysqldump command, but before the name of the database.

eg:

extra_mysqldump_options=--skip-add-locks --skip-lock-tables
extra_mysqldump_options=--routines

June 12, 2014:

Report of mixing MyISAM and InnoDB tables can cause confusing lock issues:

http://stackoverflow.com/questions/9315032/application-hangs-on-16gb-innodb-mysqldump-using-single-transaction-quick

Try and stick with one table type in your database to avoid confusion.

Added 'top' output to load checker new

Related to:

System Load checker

This addition will dump out the 30 first lines from "top" if the load checker message is triggered.

The new token in the load_check_message.txt template is called |TOP|

This should aid in determining what process was causing the high load.

awstats doesn't compute last day of month fixed

https://forum.directadmin.com/posts/158044

if day=1, take date for day-1.

-month and -year must be passed.

Changes in the awstats_process.sh:

BD='-builddate=%YY%MM'

DAY=`date +%e`
if [ "$DAY" -eq 1 ]; then
        YYMM=`date --date='yesterday' +%y%m`
        BD="-builddate=$YYMM"
fi

#-lang=en
/usr/bin/perl ${AWSTATS}/tools/awstats_buildstaticpages.pl -config=${DOMAIN} -configdir=${DATA_DIR} -update -diricons=icon -awstatsprog=${AWSTATS}/cgi-bin/awstats.pl -dir=${STATS_DIR} $BD

RET=$?

if [ "$DAY" -eq 1 ]; then
        MAIN_FILE=awstats.${DOMAIN}.\`date --date='yesterday' +%y%m\`.html
else
        MAIN_FILE=awstats.${DOMAIN}.\`date +%y%m\`.html
fi

security with ~/.shadow fixed

improved checking when working on ~/.shadow

Bug Report Courtesy of webhostsecurity.com

Create non-jailed command for awstats viewing in DA fixed

As of 1.36.0, the awstats icon directory has been linked to:

icon -> /usr/local/awstats/wwwroot/icon

This will save 2 meg of space, per domain.

When viewing your stats through apache, you'll see everything normally.

When viewing through DA, because it's jailed, the icons will not show up.

This fix is to add a custom command for awstats:

CMD_AWSTATS

such that it can view the icons outside of the jail (likely simply won't jail it, but will have very specific path checks to ensure it's safe)

Note the jail is only skipped if the icons directory is in the path, the icons directory is a directory link, and that link points to:

/usr/local/awstats/wwwroot/icon

If any of the above is not true, the chroot will not be skipped.

A workaround would be to remove the link in:

/usr/local/directadmin/scripts/awstats_process.sh

find:

if [ ! -h $ICON ]; then

        rm -rf $ICON

        ln -sf ${AWSTATS}/wwwroot/icon $ICON

fi

Replace it with:

if \[ -h $ICON \]; then
        rm -f $ICON
        cp -Rp ${AWSTATS}/wwwroot/icon ${STATS_DIR}
fi

where you'd remove the ! character before the -h, remove the r from -rf, and remove the ln line.

move check of /usr/local/bin/php into install.sh fixed

The php binary check is currently at the end of the setup.sh. If the install fails (the setup.sh calls install.sh), the reason the install failed will be displayed in the output of the install.sh, but the tail end of the setup.sh will still be run, thus the check for php is done anyway, which is pointless if the install.sh abort happened before the php binary compile was even attempted.

The fix (to avoid confusion) is to add the php check to the end of the install.sh, such that if the install.sh aborts for a particular reason, the last message seen will be the actual error, and not the redundant php check.

replace chown with lchown fixed

We usually don't want to follow links when setting ownership on a file, so we've swapped chown with lchown.

As well, for all configfile and listfile class writes (almost all data files), an fchmod is run after the fopen is called to create the temp file. This is to set the temp file to 600, instead of letting the system decide what it should be. After the temp file is filled, it's renamed to the original and chmod to whatever it's set to be normally.

For anyone who still uses Frontpage, it's been end-of-life for about half a decade. We don't recommend it's use for production systems.

For those who still need to use it, we've added more checks to try and make it more secure by traversing the public_html directory looking for links (hard or symbolic) before running the frontpage installer. stats and awstats links are ignored.

ipswap.sh didn\'t swap new multi-ip files fixed

Update ipswap.sh to swap the user_ip.list and domains/domain.com.ip_list files.

The new User loop in the ipswap.sh looks like this:

ULDDU=/usr/local/directadmin/data/users

for i in \`ls $ULDDU/users\`; do
{

        if \[ ! -d $ULDDU/$i \]; then
                continue;
        fi

        swapfile $ULDDU/$i/user.conf
        swapfile $ULDDU/$i/httpd.conf

        if \[ -e $ULDDU/$i/ip.list \]; then
                swapfile $ULDDU/$i/ip.list
        fi

        swapfile $ULDDU/$i/user_ip.list

        for j in \`ls $ULDDU/$i/domains/*.conf; ls $ULDDU/$i/domains/*.ftp; ls $ULDDU/$i/domains/*.ip_list\`; do
        {
                swapfile $j
        };
        done;
};
done;

Fixed path to gunzip on for mysql restores fixed

Previously, the gz files were extracted with /usr/bin/gunzip.

On non-FreeBSD systems, the path should be /bin/gunzip.

This was resolved in the code with some #ifdef calls to check the OS, and setting some #define calls for the true gunzip path.

Also a check for this file is done first to ensure it's actually there, or it will throw an error.

Mysql Backup for mysql 4.0 systems fixed

Related to this previous fix:

myslqdump: use --create-options instead of soon to be depreciated --all

It introduced issues for old mysql 4.0 systems.

This new fix checks the mysqld version.

If it's mysql 4.0, then --all will be used.

If it's anything else, then --create-options will be used in the mysqldumps.

ftp users not removed when moving between shared and owned IPs fixed

If you're changing the IP of a User from an owned to shared, or vice versa, the ftp accounts will be left in the previous ftp password file. This fix removes them from the previous file. If moving from owned to shared, the ftp.passwd is simply emptied since an account which isn't on an owned IP won't have any accounts.

Update html for hardcoded data in filemanager to use correct syntax (SKINS) fixed

This change won't change much for most people. It mainly only applies to people who have script parsers on the hardcoded data in the skins.

Old:

<img ... >
<input ... >
value=text
class=list
etc..

New:

<img ... />
<input ... />
value="text" or value='text'
class='list'
etc..

The changes were made mainly only for the filemanager (because it is chrooted and cannot be parsed/modified), however some of the changes made there are in global classes, so for example, all dynamic tables in DA will also be updated with these syntax changes.

Ensure random passwords are generated with upper and lower case characters (SKINS) fixed

A previous fix ensured there are numbers in the random passwords.

This change to the javascript.html will ensure that in addition to numbers, random passwords also have upper and lower case digits, something the difficult_password_enforcement option requires.

SKINS:

javascript.html:

function has_lower_case(pass)
{
        var num_count = 0;

        for (i=0; i<pass.length; i++)
        {
                ch=pass.charAt(i);
                if ('a' <= ch && ch <= 'z')
                {
                        num_count++;
                }
        }

        return num_count;
}

function has_upper_case(pass)
{
        var num_count = 0;

        for (i=0; i<pass.length; i++)
        {
                ch=pass.charAt(i);
                if ('A' <= ch && ch <= 'Z')
                {
                        num_count++;
                }
        }

        return num_count;
}

and in the random_pass() function:

if (!has_number(pass) || !has_lower_case(pass) || !has_upper_case(pass))

database_user_create_post.sh wasn\'t being called fixed

Related: custom scripts for databases

The database_create_post.sh script was in place of the database_user_create_post.sh script. Corrected it so database_user_create_post.sh is called for user creation, and database_create_post.sh is called for database creation.

Last Updated: