#4519 invisible uneditable vhost created by apache mod

[kurczaq]

Hi

another bug in apache module: somehow my client managed to create an invisible vhost (for him) - he was getting always error to create vhost and retried and retried but the vhost was added to the list (visible for root only but invisible to unpriv user). I had to delete all 9 vhost entries from webmin root account and then recreated it as unpriv user - now it worked. here the log entries: (domain anonymized)

Created server www.mydomain.org     Apache Webserver    webadmin    vps.xxxx.com    11/Dec/2014     00:56
Deleted 9 virtual servers   Apache Webserver    root    vps.xxxx.com    11/Dec/2014     00:55
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:59
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:58
Reconfigured server www.mydomain.org    Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:57
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:49
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:48
Applied changes     Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:47
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     21:47
Reconfigured server www.mydomain.org    Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     20:37
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     20:35
Created server www.mydomain.org:*   Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     20:33
Deleted server www.mydomain.org     Apache Webserver    webadmin    dslb-178-007-043-097.178.007.pools.vodafone-ip.de   10/Dec/2014     20:30

[kurczaq]

the only issue I can spot in the logs is that the client deleted "www.mydomain.org" and recreated it as "www.mydomain.org:*" - however I have no clue what option settings were used when he created it.

[kurczaq]

I see also another issue: when user do not specify the server name and uses "automatic" this does not create any usable virtual host, instead it creates :* vhost (with no name - so what is automatic here??? e.g. it should be derived from the document root name?).

[kurczaq]

the raw log data that probably generated the problem in first place reads as:

 Raw log data
Parameter name      Parameter value   
sid     ef25d8b469692434625c3b09dff8e667
object  www.mydomain.org:*
script  create_virt.cgi
ip  dslb-178-007-043-097.178.007.pools.vodafone-ip.de
time    1418240019
user    webadmin
action  virt
type    create
id  1418240019.7026.0
module  apache
port_mode   1
name    www.mydomain.org
file    
fmode   1
port    
name_def    0
adddir  1
clone   
listen  1
root    /sites/www.mydomain.org
addr_def    2
addr

[Jamie Cameron]

Do you happen to know what error the client got? The issue may have been that Virtualmin crashed part way through the virtualhost creation process.

[kurczaq]

I do not remember anymore because I was logged as root when client complained and I saw he created 8x the virtual host (so 8 equal vhost entries were visible for root). Then logged in as the client user and looked at it and there was no such virtual host visible for him at all (so for that he was trying over and over) - so I tried myself once again and it said something like "cannot create virtual host..." but I do not remember exactly, because I was like "wtf, omg..." so I quickly logged out and logged back as root to delete all these 9 vhosts (1 was my retry) to make the client happy. Then I recreated the vhost as client user and it worked normally.
I have only the webmin log entries but they are not conclusive.

[kurczaq]

so to my understading it added some vhost data somewhere but did not add the permission for the client to ever see the vhost in his list - so something exit()ed or crashed between adding some vhost data and adding the vhost name to client permitted vhost list - right?

[kurczaq]

what about logging the error when something fails? The logs for apache mod are non-conclusive (there was error but log shows nothing?)

[kurczaq]

the only thing I can reproduce right now is when user creates a vhost without giving manually "server name" and uses "automatic" - it creates an invisible vhost (visible only for root), but no error message is shown.

[kurczaq]

it reads then in the log:

Logged out of Webmin    None    webadmin    vps.xxxx.com    11/Dec/2014     18:39
Created server *    Apache Webserver    webadmin    vps.xxxx.com    11/Dec/2014     18:39
Created server *    Apache Webserver    webadmin    vps.xxxx.com    11/Dec/2014     18:36

[kurczaq]

it might be related? (invisible vhost).
I could not spot any suspicious stuff when I was testing that as root before passing it to client that has a limited user login.

[Jamie Cameron]

Ok, I think I see the issue - if no server name is given, there is no way to identify the virtual host for access control purposes. I think the real fix here is to require that non-root users enter a server name.

[kurczaq]

as I said I cannot reproduce the first bug (9x vhost) as I do not know from the logs what the client did. I assume he forgot to give server name or clicked some options other than the default in that vhost mask.
I further assume from the log that the vhost was first visible (saved changes to vhost by client) and then became invisible somehow.... or does saved changes means he clicked "apply changes" to apache?

[Jamie Cameron]

Ok, this will be fixed in the next Webmin release.