Version 1.40.2

Released: 2012-02-03

IPv6 reverse IP lookups and dns_ns.conf new

IPv6 IPs can now be used when creating a reverse IP lookup.

Also, the dns_ns.conf will be used to determine the NS records (both IPv4 and IPv6 types).

The ns1/ns2 fields will be passed to the template normally with the NS1 and NS2 tokens, like when creating a domain.

This allows for the use of a 3rd+ nameserver, or different nameserver values using the token scripting

http://help.directadmin.com/item.php?id=196

virtual_host template changes for custombuild 2.0 new

With custombuild 2.0, it will support 5.3 and higher.

php has disabled safemode in those versions, so the templates have been changed from:

|*if CLI="1"|
                <IfModule !mod_php6.c>
                         php_admin_flag safe_mode |SAFE_MODE|
                </IfModule>
                php_admin_flag engine |PHP|
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|

to be:

|*if HAVE_SAFE_MODE="1"|
                php_admin_flag safe_mode |SAFE_MODE|
|*endif|
|*if CLI="1"|
                php_admin_flag engine |PHP|
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|

where HAVE_SAFE_MODE is based on the contents of:

/usr/local/directadmin/custombuild/options.conf.

The default value of HAVE_SAFE_MODE is set to the same CLI token in the virtual_host configs.

If the custombuild/options.conf exists, and it's custombuild>=2.0 and (php1_release>=5.3 or php2_release>=5.3), then HAVE_SAFE_MODE will be set to 0.

If there is no CLI php, then HAVE_SAFE_MODE will always be 0.


In preparation for mod_ruid2, this will replace the SuexecUserGroup line.

        <IfModule !mod_ruid2.c>
                SuexecUserGroup admin admin
        </IfModule>
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid admin admin
                RGroups apache access
        </IfModule>

automatically use lower case characters for username new

With the implementation of this new feature:

Force lower case usernames when creating Users

which just blocks upper case names, if the API is not being used for User creation (using a browser), then if upper case characters are in the username, DA will automatically change the username to use lower case characters.

If the API is being used, then an error is generated, as it did before (unless allow_upper_case_username=1). The API should have the ability to do that check on it's own, and we don't want to change the value that a program thinks it's getting, if no errors are generated (in case the script assumes what is passed is what it can use).

Note that will not be done if the upper case override is enabled:

override to allow upper case usernames

allow_upper_case_username=1

Global option where suspended domains still allow emails to arrive new

With the introduction of this per-email suspension:

Ability to suspend one email account

we'll introduce a domain suspension option (directadmin.conf) where you can specify to keep the domain's email active, but just suspend the email passwords, preventing pop/imap/smtp auth.

This prevents anyone from logging in to download messages, but will allow messages to continue to arrive (assuming there is space on disk)

The method for the domain based suspension may either use the comment part of the passwd file with the word "suspended" if the account is actually suspended, or will just use a different character than ! if it's already suspended (per-email suspension). The need is because if an email account is already suspended, then we suspend the domain, when un-suspending the domain, we'll need to make sure that any account that was previously suspended stays that way.

*** IMPORTANT ***

if you turn this feature on, make sure that no accounts or domains are currently suspended, or they'll be stuck in limbo using the other suspension method (may just add a check to make sure)

To enable this feature, set:

allow_incoming_email_on_suspend=1

in your directadmin.conf.

The internal default is set to 0.

*** IMPORTANT for Backup/Restores ***

If the backup box has this option enabled, ensure that this option is also enabled on the box being restored to.

Else, suspended email accounts won't be unsuspended on the new box when the User account is unsuspended.

More details for "Unable to get Lock on file" new

If a lock cannot be obtained, the function will now get info on the folder that it's working in (ownership and permissions), as well as what the process is running as, and report that to the admin.

Ability to manually specify an IP for block_ip.sh new

Previously, only IPs which are in the list can be blocked.

This would add an optional extra field (if block_ip.sh is available) where an IP can be entered.

To use the method, if there are no IPs checked in the top list, then you can add an IP or IPv6 IP (use full format, not condensed) to the skip_value field (Optional IP/Range/Domain) and click "Block IPs". As long as no IPs are selected via checkbox, and the IP in the Optional IP/Range/Domain field is valid, then that IP will be blocked.

mysql_options to use MYSQL_OPT_RECONNECT new

DA previously had the following code:

#ifdef MYSQL_OPT_RECONNECT
my_bool recon=true;
mysql_options(&con, MYSQL_OPT_RECONNECT, &recon);
#else
#warning "MYSQL_OPT_RECONNECT is not available"
#endif

However, it was noticed that no matter which OS was used, MYSQL_OPT_RECONNECT was never actually defined (which is odd).

I've changed the code to be:

#ifndef NO_MYSQL_OPT_RECONNECT
//added the reconnect on July 31, 2008
my_bool recon=true;
mysql_options(&con, MYSQL_OPT_RECONNECT, &recon);
#else
#warning "MYSQL_OPT_RECONNECT is not available"
#endif

and set the NO_MYSQL_OPT_RECONNECT flag manually for any OS which doesn't support the option.


What this option will do, is re-connect to mysql if the connection was dropped.

This is useful during restores when the connection may be dropped mid-way through the restore (if a large DB is being restored).

Login key to login with a different, more restricted password (SKINS) new

/CMD_LOGIN_KEYS

No link will be provided to Users quite yet, as this is a powerful tool, and testing needs to be done first.

You can access it by manually typing the above URL.

Users can create keys to allow login to their control panel.

These keys will act like extra password that are valid on their account.

However, the key can be set to only be allowed to run certain commands (similar to commands.allow and commands.deny)

The keys can also have an expiry date.

They can also be set to have a limited number of executions (eg: 1, 2+, or unlimited)

Also added an IP list, so only the specific IPs or Ranges listed are allowed to use that key.

The main purpose of this feature is for remote API calls to the account, so that they can much more easily restrict it's use, without giving full access, and without giving the main password.

It's important to note, that if you restrict the commands using the allow or deny list, basic login functionality using sessions becomes confusing.

For example, if you only all CMD_FILE_MANAGER, this does not include "/", so you must access /CMD_FILE_MANAGER right from the point of login (where you use the login form).

The path "/" can't be added.

HTM files are also not part of the allowed list (but I may add an exception if the demand is there)

Upon key creation, a system message will be delivered to that User, to ensure they know it's been created (in case, for whatever reason, someone managed to create it without them knowing)

Their current true password is required for key creation and modification.

The api version: CMD_API_LOGIN_KEYS is fully implemented (see the below for forms for details)

The "Key Name" values are only for your own tracking benefits. They're not used in any fields when logging in.

You use your normal DA username, along with the key for the password.

Entire feature can be turned on/off with the directadmin.conf option:

login_keys=1

where 1 is the internal default (enabled by default)

Note that suspending a User will also suspend the login keys (adds the ! character in front of the crypt)

CMD_API_LOGIN_KEYS

CREATING A KEY

method: POST
keyname=nameofthekey     #this just for your own reference, and not the login username, The normal User's username is still used at login time. a-zA-Z0-9
key=secret                 #the new secret password. Usually something long, say 128 chars.
key2=secret               #re-poost key
never_expires=yes|no            #yes=key lasts forever.  If set to no, then ensure you set the expiry values.
expiry_timestamp=1568749148     #timestamp as to when it will expire, only used if never_expires=no.  Note, you can alternatively pass the hour,minute,month,day,year values as per html form.
max_uses=0         #if set to >0 then this is the counter for the number of calls this key is allowed to make.
clear_key=no        #if set to yes, once max_uses is hit, or exipry is hit, the key is automatically deleted.
allow_html=no      #if set to yes, the key can be used to acecss HTM_ CSS, and image files, etc.. basically things needed for browser/GUI acess, like a session login.  Script based CMD_API calls don't need this.
passwd=currentpass    #password of the current account.  If using the login-as method, then it's the password used for the login-as (eg: admin's password)

OPTIONAL VALUES when creating a key

select_allow0=CMD_...
select_allow1=CMD_...
select_deny0=CMD_...
select_deny1=CMD_...
...
etc..

These select_* values are optional. Select the commands you wish to allow or deny for this key.

ANY values in the command.allow imply all other unlisted commands are denied.

The ALL_ADMIN, ALL_RESELLER, ALL_USER commands can be used instead of listing all of those commands.

These ALL_* values are useful in the even new commands are added into DA, they'll automatically be listed, and also allow you to allow/exclude things in creative ways.

Anything in the allow list will override the deny list, if that combination is needed.

For most cases, just listing the commands you want to allow or deny are what most people go with.

It's often a good idea to disble CMD_LOGIN_KEYS and CMD_API_LOGIN_KEYS in a given key, to avoid the creation or removal of other keys.

RESTRICT new key to certain IPs

You can (and should when possible) restrict a key to the IP that will be connecting to DA.

This prevent anyone else from using the key in the event the key value (password) is stolen/lost.

The format is one IP per line (newline character between)

ips=1.2.3.4\1.2.3.5-9\::1\a:b:c:d::0\1:2:3:4:5:6:7:8-g
MODIFYING A KEY

The values passed are exactly the same as key creation, except:

keyname=  #must match the value you are editing
action=modify   #must pass this to use modify-mode.
key|key2=  #can be left blank if you don't wish to alter the values.

Everything else must still be passed as if it were a fresh copy.

This implies that you do need to pull all currently values before you can push them back again, since all items need to be known (cannot just edit one part and exclude other info)

VIEWING A KEY: A 1.59.0+:

method: GET

action=show_modify

keyname=keyname #name of the key to view

Returns URL encoded list of values.

You can alternatively work with json output, by adding this GET value:

json=yes

The json=yes value works with CMD_LOGIN_KEYS prior to 1.59.0.

===========================

Feb 8th, 2012 - 1.40.3

** BUG Found **

If you're using the httpd-auth login method (as most APIs do), there is a limit of 40 characters for the keys.

If you key value is more than 40 characters (the random button creates 64 character values), then the login will fail.

There are fixed binarie in the pre-release section which support the full 64 character length.

Session based logins with the keys are not affected by this bug.

case insensitive search for domain names (SKINS) new

use javascript to make the domain field all lower case when searching for domains.

Do not make username's lower case, as upper case username are sometimes present.

SKINS:

admin/content_main.html

from:

value8.value=value.value

to:

value8.value=value.value.toLowerCase();

reseller/content_main.html

from:

value7.value=value.value

to:

value7.value=value.value.toLowerCase();

Ability to specify dovecot log for bandwidth usage new

Ability to specify dovecot log for bandwidth usage

http://www.directadmin.com/forum/showthread.php?t=42664&p=216068#post216068

This change is part of the da-popb4smtp, not directadmin itself.

To change the path that da-popb4smtp uses for parsing, use the newly added f option.

Edit:

/etc/init.d/da-popb4smtp

change the start line from:

daemon $PROGBIN

to be:

daemon $PROGBIN f /path/to/new/log

This change also allows the da-popb4smtp to support multiple options at once, eg:

./da-popb4smtp s f /var/log/maillog t 456

type:

./da-popb4smtp ?

for info on each option.

Changed default message system sort order (SKINS) new

Minor cosmetic change, so that the newest message shows up first when clicking on the Message System link.

Saves having to search to the last page when multiples pages of results are present.

SKINS:

footer_bar_1.html

add:

?sort1=-1

to give you:

CMD_TICKET?sort1=-1

Security: improved referer check new

DirectAdmin already does a referer check on all requests:

Security check on Referer header

There is a case where, if an attacker already has access to create files on your website (meaning you've already been hacked), and you're logged into DA with that same host name, they could bypass DA's referrer check, since the hosts already match.

The likelihood of being affected is low, but possible if you've got many insecure scripts on your website, your website has already been hacked, and you click a hacked page while being logged into DA, so we'll label the threat as medium.

Also has improved checks on the Origin header.

Ability to suspend one ftp account new

Same as for email accounts, except for ftp:

Ability to suspend one email account

Important note:

If you have ftp accounts suspended, then suspend your domain (or entire DA account), and then have the domain (or DA account) unsuspended, all ftp accounts will be unsuspended, even if they were suspended before.

Unlike the email accounts, which have an unused gecos field, with ftp, DA is already using the gecos field to store the ftp account type, so cannot store such information, hence everything gets unsuspended when the domain is unsuspended.

Create the pid file after binding to 2222 fixed

Until now, the PID file for DA was created shortly after the binary started running, but before the code that binds to port 2222.

This caused a pid sync issue if DA was attempted to be started, while it was already running.

The 2nd instance overwrote the pid file of the active process.. but the 2nd instance failed/quit because it couldn't bind to 2222.

The change moves the PID creation to a point in the code after the binding to 2222, so that the PID file will always contain the correct value.

Bug with new logrotation fixed

When set to the default "5", not taking into account different months:

> Dec-2011.tar.gz
> Dec-2011.tar.gz.1
> Dec-2011.tar.gz.2
> Dec-2011.tar.gz.3
> Dec-2011.tar.gz.4
> Nov-2011.tar.gz
> Nov-2011.tar.gz.1
> Nov-2011.tar.gz.2
> Nov-2011.tar.gz.3
> Nov-2011.2.tar.gz
> Nov-2011.1.tar.gz
> Nov-2011.tar.gz.4
> Nov-2011.5.tar.gz
> Nov-2011.4.tar.gz

Keep existing rotation mechanism, but add a post-check to only keep 5.

wrong filename used when incremental_ftp=0 fixed

When incremental_ftp=0 was set, the filename being accessed for ftp upload was:

username.tar.gz

instead of:

user.admin.username.tar.gz

when the backup is created from Admin Backup/Transfer.

FAIL_URL not redirecting if login with bad values when already logged in fixed

Although this case isn't too common, if you are using a custom login form with the FAIL_URL option, if you have already logged in correct to DA with that form, but decide to login again with a wrong password, the failed login did not redirect the client to the FAIL_URL.

This is because of the logic:

If authenticated:
   do authenticated things
else
   send error

Since you're already authenticated, the send error code is never reached.

Calling CMD_LOGIN while already logged is a difference case (essentially never used), and just shows the login page without any of the fancy options, hence the issue.

What I've done, is changed it, so that if you call CMD_LOGIN when you're already logged in, you're sent to /, and the login system will take care of the reset correctly.

Because the main login checking code would be re-run, the session would then be reset correctly, so if the wrong password is used, you'll get the FAIL_URL as expected.

better filtering on compressed file field in FM fixed

Better filtering on compressed file field in FM. Mainly just the output text if the path isn't value. (encoded into safe html)

tickets date not sorting correctly fixed

http://www.directadmin.com/forum/showthread.php?t=42543&p=215245#post215245

Resolving by inserting timestamp to table as the data value, and then using the 05/28/2011 format as non-sorted text to hide the data.

Although, this bugfix is somewhat pointless, as you can sort by the message/ticket ID number, which will always be in chronological order of creation.

In any case, when the date column is clicked, proper sorting will be done.

BFM found wrong IP if from LAN fixed

2012-01-26 10:58:32 SMTP call from host.name.com ([192.168.1.222]) [5.6.7.8] dropped: too many nonmail commands (last was "AUTH")

2012-01-26 10:58:34 login authenticator failed for host.name.com ([192.168.1.222]) [5.6.7.8]: 535 Incorrect authentication data (set_id=1234)

Brute-Force Attack detected in service log from IP(s) 192.168.1.222 Today at 07:29

Changed the template/brute_filter.list to be:

exim1=ip_after=]) [&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)

exim2=ip_after=[&ip_until=]&text=login authenticator failed for&user_after=(set_id%3D&user_until=)

basically, moving exim1 to be exim2.

Added exim1, and just change:

ip_after=[

to be:

ip_after=]) [

For most cases, exim1 will fail () will hold the hostname of the computer, instead of the ([ip]), so exim2 will be the new common filter match for exim login failures.

Filemanager bug: Up a Level with + character fixed

If there was a + character in a directory, if you're in a sub directory of that + folder, the "Up a Level" link is not encoding the + character correctly to %2B.

Fix replaces the + with %2B.

Last Updated: