[Case 109441] Changes to account suspensions with .htaccess

bryyyon

Member
Mar 1, 2011
6
0
51
In some very recent version of cPanel a change was made in how accounts are suspended. The suspension process now modifies httpd.conf in-place to include a suspension config for the user's virtual hosts, rather than updating their .htaccess file(s) separately.

This is causing very significant issues for us due to the changes this is making to httpd.conf as well as the requirement to restart Apache after every cPanel account suspension. This is due to the size of our httpd.conf file and this is already minimized.

I cannot find any mention of this significant change in any release notes or change log. The documentation page below does discuss this, however. According to the Google cache and the last modified date on the page, this was written within the last 2-3 days, which is when we started seeing the behavior after the latest cPanel update on 11.42.

https://documentation.cpanel.net/display/CKB/What+Happens+When+You+Suspend+an+Account

Was this change announced anywhere? Can we revert to the old behavior? Any suggestions would be greatly appreciated.
 

bryyyon

Member
Mar 1, 2011
6
0
51
This isn't EasyApache.. Why move it to the EasyApache forum?

To the world: We copied the prior suspendacct perl script over the new one and use that instead. It works fine. The new unsuspendacct handles both cases, too.
 

bryyyon

Member
Mar 1, 2011
6
0
51
Sorry for the triple-post.

It's evident this change to suspensions was made in haste and I believe I've found why, but regardless - I hope the following helps anyone in the predicament we're in: The new suspension implementation introduced on July 21st doesn't preserve the disabling RedirectMatch directives on document roots after a rebuild of httpd.conf. If httpd.conf is rebuilt the include lines are removed from httpd.conf for all suspended accounts through the new mechanism. Though they were added into the httpd.conf,v versioned file, so we do know they existed prior to a rebuild.


Code:
# rlog /usr/local/apache/conf/httpd.conf,v | head -n 30

RCS file: /usr/local/apache/conf/httpd.conf,v
Working file: httpd.conf
head: 1.251
branch:
locks: strict
        root: 1.251
access list:
symbolic names:
keyword substitution: kv
total revisions: 251;   selected revisions: 251
description:
----------------------------
revision 1.251  locked by: root;
date: 2014/07/27 03:16:29;  author: root;  state: Exp;  lines: +609 -1
"Modified by /scripts/rebuildhttpdconf End build_apache_conf"
----------------------------
revision 1.250
date: 2014/07/26 18:31:54;  author: root;  state: Exp;  lines: +30707 -31735
"Modified by /scripts/rebuildhttpdconf End build_apache_conf"
----------------------------
revision 1.249
date: 2014/07/25 20:18:03;  author: root;  state: Exp;  lines: +1 -0
"Modified by /usr/local/cpanel/scripts/suspendacct Edited by ensure_vhost_include_directives() - /usr/local/cpanel/scripts/suspendacct"
----------------------------
revision 1.248
date: 2014/07/25 20:17:25;  author: root;  state: Exp;  lines: +1 -0
"Modified by /usr/local/cpanel/scripts/suspendacct Edited by ensure_vhost_include_directives() - /usr/local/cpanel/scripts/suspendacct"
----------------------------

Here's a quick Python script to re-submit any suspensions detected via the new method that were potentially removed after an httpd.conf build. Note that this does not preserve a cPanel suspension reason for the initial suspension.

Code:
import os

for dirname in os.listdir('/etc/httpd/conf/userdata/std/2/'):
    filename = os.path.join('/etc/httpd/conf/userdata/std/2/', dirname, '{0}-suspend.conf'.format(dirname))
    if os.path.isfile(filename):
        username = dirname
        cpuser = open(os.path.join('/var/cpanel/users/', username)).readlines()
        found = 'SUSPENDED=1\n' in cpuser
        if found:
            print 'Resuspending', username
            os.system('/scripts/suspendacct {0}'.format(username))
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,211
363
Hello :)

The change in behavior is to address security concerns. It's announced here, but without the full details yet due to how we handle targeted security releases:

cPanel TSR-2014-0005 Announcement

Documentation is available at:

Manage Account Suspensions
What Happens When You Suspend An Account

Please ensure you submit a bug report for any issues you encounter with the suspension process:

Submit A Bug Report

You can post the ticket number here and we can update this thread with the outcome.

Thank you.
 

bryyyon

Member
Mar 1, 2011
6
0
51
Thank you, Michael. I came to that conclusion it was for a security-related matter and that's why it hadn't been explicitly discussed in a release change log.. I'll wait to see what the additional information slated for release today brings.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,211
363
Internal case number 109441 is open to address an issue where rebuilding the Apache configuration file with Apache 2.4 can result in unsupensions in limited circumstances. There is currently no specific time frame available for a resolution but the case is open with our development team.

Thank you.