Fixing Apache on CentOS/RHEL 5 for Drupal


While not strictly a requirement, in the interests of not having crazy URLs on your Drupal site it's recommended to set up your web server to support .htaccess files. This will let you have URLs like "/products/cool/stuff" instead of "?q=products/cool/stuff" - obviously much nicer, and better for both usability and search engine optimization. Well unfortunately on Redhat Enterprise Linux 5 (RHEL) and CentOS 5 (which is basically the same as RHEL) the standard web server, Apache, is set to ignore these files. So here's how to fix it.

Whether you're configuring the virtual host in a separate file or in the main httpd.conf, the change you'll want to make is the same:

Step 1: enabling .htaccess files:

  • In the main httpd.conf file (should be at /etc/httpd/conf/httpd.conf) search for the string "AccessFileName",
  • If the line is commented out (it starts with "#") uncomment the line by removing the "#" symbol,
  • Update the line to say:
    • AccessFileName .htaccess
  • Restart Apache, reload the site and.. enjoy the error message :-)
  • On to the second part..

Step 2: allowing .htaccess files to override settings:

  • Find the VirtualHost configuration for the Drupal site,
  • There should be a <Directory> section within that block,
  • If there isn't a line that starts with AllowOverride, add a new one within the <Directory> block,
  • Set the AllowOverride line to the following:
    • AllowOverride Options Indexes Limit FileInfo
  • Restart Apache again.
  • Et voila.

This will allow the Drupal .htaccess file to run and make your URLs all nice & shiny!

Why I don't use Cygwin for SFTP


In the UNIXy (UNIX, BSD, Linux, OSX) world secure file transfers have been the norm for years, thanks in part to the standardization of SSH as the security protocol due to both its simplicity and power. Windows, on the other hand, has never featured security as a very important feature, evidenced by the ellaborate routes someone must take to handle SSL in IIS.

As a stop-gap measure many people have started to use the UNIX compatibility layer Cygwin, which is a wonderful system that lets you run and/or compile UNIX software on Windows. One of Cygwin's many available software packages is OpenSSH, the defacto standard SSH daemon in the UNIXy world, so by using Cygwin you can set up SSH for your Windows server. There's just one problem - it doesn't work well.

The problem with SSH, or indeed any UNIXy compatibility layer, on Windows is the age old problem that the traditional UNIXy file & directory security system is completely different to what Windows provides.

UNIX file security is based on setting the Read, Write and eXecute (thus RWX) status on any given file for both you (aka the User), anyone in your Group (or more specifically the file's assigned group) and the Other users on the computer (thus UGO). As an example, if your file is set to allow all three (UGO) to Read & Write to the file then anyone who has access to the machine can open & change the file. A common way to list these settings is in the form of octal values - Read is 4, Write is 2 and eXecute is 1, with the numbers added together for each user type, so the common setting of U=RWX,GO=RX becomes 755.

Windows file security is based on Access Control Lists (ACLs), which are basically lists of individual users and groups and their associated permissions. Rather than restricting you to only assigning permissions at three levels (UGO) you are completely open to decide what groups and users can do what to your files. This gives a great amount of flexibility as you can more easily mix 'n match security groups and group memberships. An example might be allowing both the Executive and IT groups could read a reports directory but only Accounting to modify files there.

As you can guess there's going to be issues trying to superimpose the UNIX UGO-style permissions on top of Windows' ACLs, and there are.

When you install Cygwin first it grabs a copy of the current users & groups settings from Active Directory (or your local computer, if you aren't in a domain) and saves them out as /etc/passwd and /etc/group in the standard UNIX format.

The first issue with this system is that every time the user groups and user accounts change you have to re-import the accounts settings. While, yes, you can create a cron event to automate this, the problem gets worse ...

The next issue is that it doesn't correctly handle the user's primary user group, mainly because Window's doesn't have such a thing, so instead it assigns all users to an invalid group. Now, on top of having to automate synchronizing with the Windows accounts system you have to work out how to put users into their proper groups so that their files are properly acessible.

There's another problem: when you log in through sftp any files uploaded have the file permissions set incorrectly. Thankfully there's a way of fixing this using a kludge to override the sftp defaults, but who likes kludges?

The problem gets worse with directories: all directories created are assigned the default usergroup listed, and coupled with the file permissions problem it leaves your directory structure so that only the original user can view files in the new directory. And no, there's no way to fix it using SFTP, you need to log in with a full shell session to run chown on the directory in question - not something you want your average non-technical designer doing on your production web server.

So, combine the four problems above and you end up with a really messy system that ultimate simply doesn't work cleanly.

It is for the above hassles that at work we've paid hard cash for Vandyke's VShell ssh server, which works wonderfully well by the way.

Vista sucks, let me count the ways


Microsoft's Windows Vista has become the most hated release of Windows yet - missing features (hardware accelerated GUI, database-based filing system, smart search engine, etc), irritating features (the security requesters), confusing number of editions (seven available in the USA, two more in Europe), confusing graphics system (DirectX 10.0, incompatible with the upcoming DX10.1, slower than DX9), and more.

The latest thorn in its side has been the controversy over network throttling when media is being played. The problem is that when Windows is playing audio, even if the player is paused, it limits the network speed to half what it should be. Just wonderful. You buy a multi-gigahertz machine with multiple gigs of ram, several hundred gigs of disk space, but yet playing music makes your network speed drop to half what it should be.

Needless to say this hasn't sat well with, well, anyone outside of Microsoft. While there haven't been any public floggings yet (aw!), Microsoft's uber guru Mark Russinovich replied saying (paraphrase) "well, the network uses a lot of CPU, so to make sure the audio plays we naturally had to throttle the network". 41% CPU usage for copying a file across the network!! ZOMGZ!!!1!

So, to set the record straight, Linux kernel hacker Robert Love responded with a wonderful reply that cut Mr Russinovich's reply to shreds, simply saying that Vista is poorly designed and that Linux doesn't suffer from the same stupid bugs. Thank you, Mr Love.

Linux (and every other well designed OS): (best French accent) douze points

Windows Vista: (best French accent) nil point

Subversion's one problem


I've used the document revision management system Subversion for a few years now and find it to be an excellent tool that has never given me any problems. Until this week, that is. I was helping to set it up on a web server that has Fedora Core 4 as its OS - we wanted to have a central code repository for the various projects we worked on and it was a logical step to place it there. Well, I started searching around for an installer for the latest Subversion release (v1.4.2) that was compatible with FC4 only to discover that there wasn't one! It seems that during the v1.4 development cycle they updated one of their code's dependencies (libapr) to a newer version than is compatible with FC4, you need to have FC5 or newer to be able to install it without any hickups. So, rather than asking the server's service provider to upgrade to a newer OS I'm going to see if there's a way to hack the code to make it install with the older version - wish me luck!


Subscribe to Linux