SecurityException in Application.cpp:188: Do not have root privileges. Executable not set-uid

If you’re getting Internal server error all over the places on your websites on a cPanel server and PHP is configured to run as suphp CGI mode, then you might be observing the following error on error_log due to ModSecurity. It might be searching for the sticky/suid permission on suphp binary:

SecurityException in Application.cpp:188: Do not have root privileges. Executable not set-uid

To quickly get this fixed on your cPanel server execute the following command:

chmod +s /opt/suphp/sbin/suphp

This should fix the issue instantly.

Limit tomcat heap memory usage on cPanel Server

To limit tomcat heap memory usage we normally change the environment variables in tomcat startup scripts. cPanel allows us to take care of this by creating and adding min and max values to a file called  /var/cpanel/tomcat.options (File won’t exist by default).

-Xmx200M
-Xms100M

the “-Xms” initial Java heap size for the application to 100MB, and the “-Xmx” maximum Java heap size to 200MB. If the – is not placed in front of the option when putting the values into /var/cpanel/tomcat.options file that is created, then Tomcat will refuse to startup properly.

This method would be preferred over directly editing /usr/sbin/starttomcat. The /var/cpanel/tomcat.options file would not be edited by cPanel scripts or upon updates.

Fix: fixquota fails with journaled quota support: not available with vzaquota (disabled)

If you’re running cPanel server on a OpenVZ hardware node, you might face issues with quota for few reasons:

1. Secondary quota might not have been enabled on hardware node.

You can verify by checking for “DISK_QUOTA=yes” in /etc/vz/conf/vz.conf

Also, QUOTAUGIDLIMIT needs to be set for the VPS in  /etc/sysconfig/vz-scripts/CT_ID.conf (PS: CT_ID is the container id of the VPS)

2. You should have initialized the quota via WHM.

If you continue to face problem even after applying both fixes, re-initializing quota might help as per http://wiki.openvz.org/Cpanel_quotas  Here is the excerpt:

WHM/Cpanel, a popular commercial web-based control panel for Linux, has a tendency to overwrite the special quota files in the VE context. I am referring to:

lrwxr-xr-x 1 root root 39 Jun 8 17:27 aquota.group -> /proc/vz/vzaquota/00000073/aquota.group
lrwxr-xr-x 1 root root 38 Jun 8 17:27 aquota.user -> /proc/vz/vzaquota/00000073/aquota.user

The result of these being overwritten will be WHM showing “unlimited” quota reports for all users in the system. An quick solution to this is to run these commands from within the VE as root:

rm -rf /aquota.user 2>/dev/null
rm -rf /aquota.group 2>/dev/null
unlink /aquota.user 2>/dev/null
unlink /aquota.group 2>/dev/null
for x in `find /proc/vz/vzaquota/ | tail -2 `; do ln -s $x / ; done

journled quota support warning didn’t get resolved even after this. Yet to check for the core reason for the same.

Adaptec RAID Monitoring via Nagios

Monitoring servers with RAID controllers is made easy through and other monitoring systems. Today its quite easy to get an app installed on your mobile and configure it to display critical errors from to quickly act on. When you’re an in-charge of Infrastructure, monitoring RAID becomes very very critical.  While digging around simple ways to monitor cards, a tiny little piece of script found on exchange –
check-aacraid.py by Anchor Systems.

This script works with the Storage Manager – arcconf installed to manage RAID Cards.

Here is an excerpt from Nagios Exchange on check-aacraid script configuration for your quick reference :-

Check the health of an Adaptec raid controller using /usr/StorMan/arcconf Checks the following: Logical device status, Controller status, Failed & Degraded drives. If the battery is present: Charging status, Est of charge time left, Charge left %. And removes the log file “UcliEvt.log” that is dropped into the CWD when /usr/StorMan/arcconf is run.
Check the health of an Adaptec raid controller using /usr/StorMan/arcconf

Checks the following:
Logical device status
Controller status
Failed & Degraded drives

If battery present:
Charging status
Est of charge time left
Charge left %

And removes the log file “UcliEvt.log” that is dropped into the CWD when /usr/StorMan/arcconf is run.

Add this to your “/etc/sudoers” file using visudo
"nagios ALL=(root) NOPASSWD: /usr/StorMan/arcconf GETCONFIG 1 *"

## On RHEL & possibly others ##
Disable “Defaults requiretty” in /etc/sudoers otherwise the command will not run via NRPE.

Add this to your checkcommands.cfg

define command {
command_name check_aacraid
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_aacraid
}

Add this to your servicedefs.cfg

define service {
use low-service-level
name aacraid-service
service_description aacraid
check_command check_aacraid
register 0
notification_interval 3600
}

Add the service

define service {
use aacraid-service
host_name host-with-crap-adaptec-crud
contact_groups upset-admin
}

And on the host you will be checking add this to nrpe.cfg
command[check_aacraid]=/usr/local/sbin/check-aacraid.py

Tags: , , ,

Fix CSF blocking Google bots

If you install on your server along with you might see it blocking google bot for some specific rules. At times you might find it offensive to remove some of the rules from the configuration just to allow Google bots.

 

Here is what you should be doing to make Google Bots crawl through your sites again.

Just add the following rules to mod_security configuration file and restart apache.

# GoogleBot by user-agent…
SecRule HTTP_USER_AGENT “Google” nolog,allow
SecRule HTTP_USER_AGENT “Googlebot” nolog,allow
SecRule HTTP_USER_AGENT “GoogleBot” nolog,allow
SecRule HTTP_USER_AGENT “googlebot” nolog,allow
SecRule HTTP_USER_AGENT “Googlebot-Image” nolog,allow
##
SecRule HTTP_USER_AGENT “AdsBot-Google” nolog,allow
SecRule HTTP_USER_AGENT “Googlebot-Image/1.0″ nolog,allow
SecRule HTTP_USER_AGENT “Googlebot/2.1″ nolog,allow
SecRule HTTP_USER_AGENT “Googlebot/Test” nolog,allow
SecRule HTTP_USER_AGENT “Mediapartners-Google/2.1″ nolog,allow
SecRule HTTP_USER_AGENT “Mediapartners-Google*” nolog,allow
SecRule HTTP_USER_AGENT “msnbot” nolog,allow

Enjoy!

Tags: , , , ,