security – Page 2 – Capi's Corner

Vista UAC: Firefox (and other Mozilla apps) automatic updates

If you disable the automatic installer detection of User Account Control (UAC), for instance because it interferes with your every-day operations (like in my “Git and Windows Vista” article), you will notice that the Mozilla updaters don’t work as expected. Automatic updates will fail. This is due to the fact that the updater will not be automatically elevated any longer.

As the easiest workaround, you should perform the following steps:

Once you get notified about the update and you are asked if you want to install it, say “No”.
Close the Mozilla application in question.
Search for the application in your “Start” menu.
Right-click the entry and choose “Run as Administrator…”
Choose “Check for Updates…” in the “Help” menu
Confirm you want to install the update and walk through the update process.

The installation will now work. For security reasons you should close the application once installation is finished, because it will still be running with elevated privileges. Now start the application again normally.

The same principle works for any application that is not Vista-aware and fails on automatic update. For security reasons make sure you keep the time you run with elevated privileges as short as possible.

phpMyAdmin with mod_fcgid

I am currently migrating my server configuration away from mod_php towards mod_fcgid (the successor of mod_fastcgi), as this allows me to use different users for executing scripts in different directories. I use this to have every hosted virtual domain using its own system user. This should (in theory) prevent one buggy application to take over all other hosted domains as well.

I though faced one problem: I could not get phpMyAdmin working and this was a requirement of one of my clients. phpMyAdmin kept popping up the authentication dialog over and over again when using HTTP Basic Authentication.

After searching some time, I noticed that, when using PHP in CGI mode, the authentication data is not passed over to the script by default. A FAQ entry of phpMyAdmin brought the solution to this issue: a ReWrite Rule was needed for the directory containing phpMyAdmin:

RewriteEngine On RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

Suddenly phpMyAdmin worked 😉

Out of /dev/random?

Ever happened to run out of random numbers?

Well, if you are using Apache together with mod_ssl you can easily run into the situation that after starting up Apache, requests to it will block up to several minutes or time out. This happenes, if Apache is configured to use /dev/random as a source for random numbers which are required in the initialisation of mod_ssl and similar, if you have to few entropy information left for the generation of more secure random numbers.
As suggested in a Gentoo Forums article, you can emerge the tool sys-apps/rng-tools, which provides you with rngd, a daemon collecting entropy from hardware random number generators and feeds /dev/random with this data.

If you happen (like me) to not having a hardware random number generator on your server’s mainbord, rngd will use /dev/urandom as a source of entropy and mix it with entropy collected from your system. While this will indeed result in a certain drop of “randomness” of /dev/random, it still has major advantages by reducing the startup time of apache to several seconds, as /dev/random will not block any more.

Don’t forget to add rngd to your server’s default runlevel (rc-update add rngd default).

Apache: Force SSL for a Directory Using .htaccess and mod_rewrite

To force SSL on a given directory using .htaccess, use the following code. It requires mod_rewrite enabled in Apache. Adjust the path in the RewriteRule to match the full qualified URL of the HTTPS-domain.

RewriteEngine On RewriteCond %{SERVER_PORT} !443 RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]