SME Server 8 and session.use_trans_sid

Downloaded the svn of osCmax to do some dev work and the first install screen advised that session.use_trans_sid was enabled and should not be.

After some quick research that simply suggested I add a rule to .htaccess, I went looking at the php.ini and how to turn it off permanently.

[php]
# grep session /etc/e-smith/templates/etc/php.ini/*
returns
/etc/e-smith/templates/etc/php.ini/80ModuleSettings16Session:session.use_trans_sid = 1
[/php]

Which tells me to copy the offending template section to the templates-custom area, set it to 0, and recompile the template for php.ini

[php]
# cp /etc/e-smith/templates/etc/php.ini/80ModuleSettings16Session /etc/e-smith/templates-custom/etc/php.ini/
[/php]

I like using mcedit on my linux systems but you might prefer vi or something else.

[php]
#mcedit /etc/e-smith/templates-custom/etc/php.ini/80ModuleSettings16Session
[/php]
and change the setting for session.use_trans_sid from 1 to 0 and save the file.

Then rebuild the php.ini and restart apache.
[php]
# /sbin/e-smith/expand-template /etc/php.ini
# apachectl graceful
[/php]

Of course these notes pretty much apply to any SME Server template snippet to adjust the server settings permanently so that reboots don’t lose your changes.

SME Server 8 and Sub Version

Went to run an svn download on my current dev server this morning and could not find the subversion add-on.

Look at this for current details http://wiki.contribs.org/SME8.0_Contribs_QA#smeserver-subversion

I then checked this section http://wiki.contribs.org/SME8.0_Contribs_QA#Setup and created the sme7contribs repo. Yes copy and paste of the multi lines of db update commands does work.
[php]
yum install smeserver-subversion –enablerepo=sme7contribs
[/php]

I then got missing dependencies information and apparently these are meant to be manually setup, but how to find what to actually install?

subversion-1.4.6-0.2.el4.rfx.i386 from sme7contribs has depsolving problems
–> Missing Dependency: libapr-0.so.0 is needed by package subversion-1.4.6-0.2.el4.rfx.i386 (sme7contribs)
mod_dav_svn-1.4.6-0.2.el4.rfx.i386 from sme7contribs has depsolving problems
–> Missing Dependency: httpd-mmn = 20020903 is needed by package mod_dav_svn-1.4.6-0.2.el4.rfx.i386 (sme7contribs)
subversion-1.4.6-0.2.el4.rfx.i386 from sme7contribs has depsolving problems
–> Missing Dependency: libaprutil-0.so.0 is needed by package subversion-1.4.6-0.2.el4.rfx.i386 (sme7contribs)
Error: Missing Dependency: libaprutil-0.so.0 is needed by package subversion-1.4.6-0.2.el4.rfx.i386 (sme7contribs)
Error: Missing Dependency: libapr-0.so.0 is needed by package subversion-1.4.6-0.2.el4.rfx.i386 (sme7contribs)
Error: Missing Dependency: httpd-mmn = 20020903 is needed by package mod_dav_svn-1.4.6-0.2.el4.rfx.i386 (sme7contribs)

and of course the simple answer is to not quite follow the instructions!

Instead of trying to use specifically the sme7contribs repo, try using a wildcard like *

That command uses all the possible repositories and results in success

[php]
yum install smeserver-subversion –enablerepo=*
[/php]

[php]

Dependencies Resolved

===============================================================================
Package Arch Version Repository Size
===============================================================================
Installing:
smeserver-subversion noarch 1.4-46.el4.sme sme7contribs 74 k
Installing for dependencies:
mod_dav_svn i386 1.6.15-0.1.el5.rfx smecontribs 243 k
neon i386 0.25.5-10.el5_4.1 base 101 k
smeserver-mod_dav noarch 0.1-18.el4.sme sme7contribs 7.6 k
subversion i386 1.6.15-0.1.el5.rfx smecontribs 6.5 M

Transaction Summary
==============================================================================
Install 5 Package(s)

[/php]

As shown the supporting packages are spread over a number of repo’s and using the wildcard allows yum to find them all at the same time.

If you are reading this and you do all the above, I’d be interested to know if you get an issue with Windows network access to the server after the updates. I had the server rebooted etc and then could not browse or connect from my Windows 7 based notebook until after I had re-applied the Workgroup settings from the admin console of sme server. Seemed odd, as if one of the updates processed had impacted the workgroup / samba settings.

oscMax Check Permissions add-on update for v2.5

I was working through a trial install of oscMax v2.5beta3 and following the security setup instructions.

In doing so I found a number of changes that I wanted to make and the first one that I have completed is the Check Permissions add-on.

You can download Check_permissions_2.5
(Edit: this file was updated 20110312)

The references that you can use are included in the zip file README etc.

Also you may want to look at

The oscMax Security documentation which is what started me on this update

The oscMax link to version 1.3 of Check Permissions if you want to compare the code I added

The oscMax wiki page on Check Permissions that I added with the details regarding both the install of 1.3 or 2.5

.htaccess useful options

This is a post that I started to remind me of what the correct syntax is for the .htaccess file. But given that it has kind of grown to include a heap of .htaccess info I thought it wise to highlight the Apache official .htaccess tutorial pages. Given the information in that tutorial only use .htaccess if you really need to and preferably use the correct httpd.conf (apache2.conf or similar depending on your distro) for the commands as it will help with system performance. That said, there are a number of things that I use .htaccess for, here are some of them.

Edit: Have not read this as yet, but it seems to contain a heap more detail. http://www.askapache.com/htaccess/htaccess.html

The following came from http://www.buildwebsite4u.com/advanced/htaccess-file.shtml:

Redirecting YourSite.com to www.YourSite.com
If search engines find both www and non-www links from other sites to your site, they may treat http://YourSite.com and http://www.YourSite.com as two different websites with the same content. This means that your site can be penalized for duplicate content. Many experts recommend to set up a 301 redirect (permanent redirect) from YourSite.com to www.YourSite.com…

The code for this would be:
[php]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^YourSite.com [nc]
RewriteRule (.*) http://www.YourSite.com/$1 [R=301,L][/php]

Of course, using the .htaccess file and having all the correct paths enabled will help.

My default SME Server uses Apache2 and I have found that in order to use .htaccess and htpasswd effectively I had to add / enable some modules in the /etc/httpd/conf/httpd.conf file.

Setting aside the fact that SME Server needs to have specific templates updated, the Centos distro that it is based on will be similar to this (I expect).

I did enable a number of auth type modules to address a number of errors.  In each case the /var/log/httpd/error.log was where the errors were recorded.

.htaccess: Invalid command ‘AuthUserFile’, perhaps misspelled or defined by a module not included in the server configuration

was fixed by enabling

LoadModule authn_file_mod modules/mod_authn_file.so

While the error

configuration error: couldn’t check user. No user file?

needed to have the Basic Authentication module enabled in the LoadModules section of the httpd.conf

LoadModule auth_basic_mod modules/mod_auth_basic.so

needed to have Basic Authentication enabled. Note that by default Digest is enabled but given that Digest provides little security above Basic I am ok with using Basic with SSL. Note that the SSL is essential for Basic Authentication to be of use. Read the info from Apache on Basic v Digest as I think it makes it clear.

…and another error

configuration error: couldn’t check access. No groups file?:

needed to have this module added.

LoadModule authz_user_mod modules/mod_authz_user.so

at this point I could login from the browser and got a prompt to access the directory. However there was still an error in the log which stated:

/.htaccess: order not allowed here

This was because I had not completed the AllowOverride construct in the httpd.conf file.

In my httpd.conf I have sections for each virtual site / directory on the server.

Options None
Options +Indexes
Options +Includes
AllowOverride None
order deny,allow
deny from all
allow from all

in which the ‘AllowOverride None ‘ directive will ignore .htacess, while setting it to AllowOverride AuthConfig will allow it to check for a username/password it also needs the AllowOverride Limit to avoid the error about Order.

So to summarise the httpd.conf change I added a specific directory directive for the directory I am securing with htaccess/ htpasswd with the following:

AllowOverride AuthConfig Limit
order deny,allow
deny from all
allow from all