* shared hosting security: removed posix functions [shared hosting security]
* removed pcntl functions [shared hosting security]
* added dummy domxml package [compatibility with other packages that depend on it, such as certain plesk 8 packages]

This build does have cgi compiled with fastcgi support.

Additionally, there is a corresponding php-apc 3.1.0 rpm available in the downloads section for this build of php.

To get these files with up2date, add my rpm signing key:
rpm –import http://www.justinsamuel.com/downloads/rpms/RPM-GPG-KEY.js.txt

And add this line to your /etc/sysconfig/rhn/sources:
yum justinsamuel-com http://www.justinsamuel.com/downloads/rpms/redhat/el4/en/$ARCH/js/

—
topics: rh4, rhel4, red hat enterprise linux 4, centos4, cent os 4, php5, apc

to use this, for example on a plesk box to allow domains to use sftp without having to give them a chroot’ed bash shell, do the following:

- install the scponly rpm from the downloads area
- add the following line to your /etc/shells file
/usr/sbin/scponlyc
- set any domain you want to have sftp access without any other shell access to use this shell.
- optionally, edit your domain templates and make the default shell this one and remove ability for clients to change the shell for a domain

note that this will only allow domains to use sftp but not scp (at least on a redhat box). this is because plesk decided to put the scp binary for a site’s chroot someone different than it exists in the rest of the system, and so it’s not where the scponlyc shell will look for it. so, just keep that in mind in case anyone complains sftp works but not scp.

if you want to have scp work for a domain, hard link the domain’s bin/scp to usr/bin/scp. if you want, you can even make the change to the chroot directory so that newly created domains have scp available, too. and if you’re brave, you can use the chrootmng tool to setup existing domains with your changes to the chroot directory.

Trying to enable APC for all sites on a server that has the sites running php though fastcgi (with a very low shm_size) resulted in odd behaviour on some sites. An shm_size of 3 or 4MB on a site running drupal produced errors of apc_sma_free: could not locate address, but 2MB seemed to work fine. Other sites handled the setting of 3 or 4MB just fine. I didn’t test any further as all i really needed to verify for myself was that enabling APC for all sites wasn’t a good plan. I’ll stick to turning it on in each sites’s php.ini for now for those that are very heavily trafficked.

mkdir /usr/share/ssl/certs/hostname.domain.com
cd /usr/share/ssl/certs/hostname.domain.com
(umask 077 && touch host.key host.cert host.info host.pem)
openssl genrsa 2048 > host.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
...[enter *.domain.com for the Common Name]...
openssl x509 -noout -fingerprint -text < host.cert > host.info
cat host.cert host.key > host.pem
chmod 400 host.key host.pem

To do the following, you need a certificate. It can be self signed or CA signed. Using a self-signed cert will of course result in some browser warnings for those who have not added the certificate as locally trusted on their computer.

You will want a copy of your cert in PEM format. If you don’t have this already, just create a single file with the private key followed by the certificate. That’s it. For example, just run the following (using correct paths to your private key and certificate files):

touch host.pem
chmod 600 host.pem
cat host.key host.crt > host.pem

and you’ll now have a PEM file. It should look like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Courier-IMAP (pop3s and imaps)

The first step is to set it up for pop3s and imaps by backing up and replacing the certs at:

/usr/share/courier-imap/pop3d.pem
and
/usr/share/courier-imap/imapd.pem

with your PEM file.

If you have a chained cert, you need to do one more thing. You need to tell courier-imap about it. Backup and edit both of the following files:

/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl

and set the value TLS_TRUSTCERTS in each file to the path to the certificate chain. For example, drop a copy of the certificate chain into a file at:

/usr/share/courier-imap/chain.crt

and then set the value for TLS_TRUSTCERTS in the pop3d-ssl and imapd-ssl files like so:

TLS_TRUSTCERTS=/usr/share/courier-imap/chain.crt

now restart courier-imap:

service courier-imap restart

Qmail (smtps)

To setup your certificate for use with smtps, copy your PEM file to:

/var/qmail/control/servercert.pem

and if you have a CA certs, append them to that same file (so you should have all of the CA chained certs right after your own certificate in that file).

now restart qmail:

service qmail restart

Test everything

You can test these newly installed certificates to make sure everything is working with the following:

openssl s_client -connect [host]:993
openssl s_client -connect [host]:995
openssl s_client -connect [host]:465

Note that the imaps test (port 465) can take a while to respond when testing like this.

And, of course, you can test these (and should) by trying to use an actual email account to send and receive mail using these protocols.

• removed posix functions (were enabled for cgi, cli and apache module)
• removed pcntl functions (were enabled for cgi)

This build does have cgi compiled with fastcgi support (the fedora php5 releases have that).