The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 109441] Changes to account suspensions with .htaccess

Discussion in 'General Discussion' started by bryyyon, Jul 25, 2014.

  1. bryyyon

    bryyyon Member

    Joined:
    Mar 1, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    In some very recent version of cPanel a change was made in how accounts are suspended. The suspension process now modifies httpd.conf in-place to include a suspension config for the user's virtual hosts, rather than updating their .htaccess file(s) separately.

    This is causing very significant issues for us due to the changes this is making to httpd.conf as well as the requirement to restart Apache after every cPanel account suspension. This is due to the size of our httpd.conf file and this is already minimized.

    I cannot find any mention of this significant change in any release notes or change log. The documentation page below does discuss this, however. According to the Google cache and the last modified date on the page, this was written within the last 2-3 days, which is when we started seeing the behavior after the latest cPanel update on 11.42.

    https://documentation.cpanel.net/display/CKB/What+Happens+When+You+Suspend+an+Account

    Was this change announced anywhere? Can we revert to the old behavior? Any suggestions would be greatly appreciated.
     
  2. bryyyon

    bryyyon Member

    Joined:
    Mar 1, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    This isn't EasyApache.. Why move it to the EasyApache forum?

    To the world: We copied the prior suspendacct perl script over the new one and use that instead. It works fine. The new unsuspendacct handles both cases, too.
     
  3. bryyyon

    bryyyon Member

    Joined:
    Mar 1, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Sorry for the triple-post.

    It's evident this change to suspensions was made in haste and I believe I've found why, but regardless - I hope the following helps anyone in the predicament we're in: The new suspension implementation introduced on July 21st doesn't preserve the disabling RedirectMatch directives on document roots after a rebuild of httpd.conf. If httpd.conf is rebuilt the include lines are removed from httpd.conf for all suspended accounts through the new mechanism. Though they were added into the httpd.conf,v versioned file, so we do know they existed prior to a rebuild.


    Code:
    # rlog /usr/local/apache/conf/httpd.conf,v | head -n 30
    
    RCS file: /usr/local/apache/conf/httpd.conf,v
    Working file: httpd.conf
    head: 1.251
    branch:
    locks: strict
            root: 1.251
    access list:
    symbolic names:
    keyword substitution: kv
    total revisions: 251;   selected revisions: 251
    description:
    ----------------------------
    revision 1.251  locked by: root;
    date: 2014/07/27 03:16:29;  author: root;  state: Exp;  lines: +609 -1
    "Modified by /scripts/rebuildhttpdconf End build_apache_conf"
    ----------------------------
    revision 1.250
    date: 2014/07/26 18:31:54;  author: root;  state: Exp;  lines: +30707 -31735
    "Modified by /scripts/rebuildhttpdconf End build_apache_conf"
    ----------------------------
    revision 1.249
    date: 2014/07/25 20:18:03;  author: root;  state: Exp;  lines: +1 -0
    "Modified by /usr/local/cpanel/scripts/suspendacct Edited by ensure_vhost_include_directives() - /usr/local/cpanel/scripts/suspendacct"
    ----------------------------
    revision 1.248
    date: 2014/07/25 20:17:25;  author: root;  state: Exp;  lines: +1 -0
    "Modified by /usr/local/cpanel/scripts/suspendacct Edited by ensure_vhost_include_directives() - /usr/local/cpanel/scripts/suspendacct"
    ----------------------------
    

    Here's a quick Python script to re-submit any suspensions detected via the new method that were potentially removed after an httpd.conf build. Note that this does not preserve a cPanel suspension reason for the initial suspension.

    Code:
    import os
    
    for dirname in os.listdir('/etc/httpd/conf/userdata/std/2/'):
        filename = os.path.join('/etc/httpd/conf/userdata/std/2/', dirname, '{0}-suspend.conf'.format(dirname))
        if os.path.isfile(filename):
            username = dirname
            cpuser = open(os.path.join('/var/cpanel/users/', username)).readlines()
            found = 'SUSPENDED=1\n' in cpuser
            if found:
                print 'Resuspending', username
                os.system('/scripts/suspendacct {0}'.format(username))
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The change in behavior is to address security concerns. It's announced here, but without the full details yet due to how we handle targeted security releases:

    cPanel TSR-2014-0005 Announcement

    Documentation is available at:

    Manage Account Suspensions
    What Happens When You Suspend An Account

    Please ensure you submit a bug report for any issues you encounter with the suspension process:

    Submit A Bug Report

    You can post the ticket number here and we can update this thread with the outcome.

    Thank you.
     
  5. bryyyon

    bryyyon Member

    Joined:
    Mar 1, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thank you, Michael. I came to that conclusion it was for a security-related matter and that's why it hadn't been explicitly discussed in a release change log.. I'll wait to see what the additional information slated for release today brings.
     
    #5 bryyyon, Jul 28, 2014
    Last edited: Jul 28, 2014
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Internal case number 109441 is open to address an issue where rebuilding the Apache configuration file with Apache 2.4 can result in unsupensions in limited circumstances. There is currently no specific time frame available for a resolution but the case is open with our development team.

    Thank you.
     
Loading...

Share This Page