Category Archives: Patches

DNSSEC Zone Key Tool (ZKT) support for included files

DNSSEC Zone Key Tool is a powerful tool suite for managing DNSSEC zones. It automatically creates/deprecates keys, resigns the zone at fixed intervals and also resigns zones if they where modified.

Detection of modified zones is done by looking at the last-modified date of the files (zone.db, dnskeys.db and zone.db.signed) – if zone.db or dnskeys.db are newer than zone.db.signed a resign is necessary. However, zkt-tools do not support/check the last-modification date of included files (with the “$INCLUDE” directive). This patch adds support for this, so that all included files are also checked whether they were modified since the last signing of the zone.

Upstream report:,

AWStats on Debian: Incomplete statistics caused by logrotate

AWStats on Debian might generate incomplete statistics. The script is executed regularly (once every 10 minutes via cron /etc/cron.d/awstats; you should really consider changing this to a bigger interval) in order to update/calculate the statistics (stored in /var/lib/awstats).

I changed the cron-file so that this script is executed once a day. However, the default installation of AWStats only considers /var/log/apache2/access.log (or some other log file) and does not cope with logrotate. So, if logrotate runs /var/log/apache2/access.log is rotated to /var/log/apache2/access.log.1(.gz) and on the next run AWStats only considers the content of the new rotated file. This issue becomes bigger when you increate the interval – in the default setup you can only loose up 10 minutes.

I reported this to Debian (Debian bug #706491) and proposed a possible solution: Do not use the logfile e.g. /var/log/apache2/access.log in the AWStats config files (e.g. /etc/awstats/awstats.conf: LogFile entry) directly, but use a wrapper script.

My script can be used as follows: Do not use LogFile=”/var/log/apache2/access.log” in awstats.conf, but LogFile=” /var/log/apache2/access.log”. If called with exactly one parameter (the logfile) it uses both access.log.1(.gz) (if exists) and access.log. My script can also be executed with “all” as the second parameter, then all existing rotated access.log*-files are used (in the right order and unpacked automatically). This might be useful if you want to build all statistics from scratch or you have bigger intervals than logrotate intervals. If the second parameter is missing, you can also use the USELOGFILES environent variable. This might be handy if you want to change it’s value more easily w/o editing all awstats.*.conf-files.

Alternative way: Run AWStats as a post-rotate script in logrotate.

AWStats on Debian: Incomplete statistics on new month

When you install AWStats on Debian, is executed regularly (once every day via cron /etc/cron.d/awstats) in order to build static statistics pages for the current month (in /var/cache/awstats). However, (on my system) this script is executed every day @3:10am. So in each new month the statistics of the last day of the last month are incomplete. I reported this to Debian with a patch included (Debian bug #706487).

AWStats: GeoIP support for IPv6

AWStats is a widely used tool for creating website usage statistics. For gathering country stats you have two options in AWStats:

  • using reverse dns lookup on the IP addresses
  • use a Geo-IP database

Without the usage of plugins only IPv4 is supported. IPv6 support is only available with a plugin, however, only for performing reverse IPv6 lookups and not for the GeoIP plugin.

In order to fill this gap I created a patch (upstream report). This patch add a new plugin (geoip6) and adds support for GeoIP lookups for both IPv4 and IPv6.

If you want to use my patch you need the Maxmind Geo(Lite) Country IPv6 database (the IPv4 database seems to be included) and the Geo-IP perl package in version >= 1.40 (libgeo-ip-perl in Debian 6; 1.40 is available in Squeeze backports). DNSLookups should be disabled.

Update 2014-02-08: This patch was included into the official development branch.

Samba: Logging logins and logouts to MySQL database

I run samba 3 as the PDC on a network. I needed to log which users logged on and off on which machines in my network. Using the build in utmp = yes option was no option since UTMP was rotated using logrotate (so logouts were not always recorded correctly).

So I created a patch which enables Samba to log to a MySQL database. New configuration options are mysqlsessionlogging (boolean to enable logging), mysqlsessionloggingserver (MySQL server address), mysqlsessionloggingusername (MySQL username), mysqlsessionloggingpassword (MySQL password), mysqlsessionloggingport (MySQL port), mysqlsessionloggingdb (MySQL database) and mysqlsessionloggingtable (MySQL table; SQL statement to create the table is included in the patch).

Update 2013-05-02: I use the patch since 2009 (starting with samba 3.0) in a production environment.

mod_auth_pgsql: Support for salted md5 password hashes

Recently I created a patch against the Apache httpd authentication module mod_auth_pgsql 2.0.3 for adding support for salted md5 password hashes. In a scenario I wanted to authenticate users against the PostgreSQL user database. However, mod_auth_pgsql only could handle crypted, md5 and base64 encoded passwords. There was no support for salted MD5 passwords (username+password concatenated) like in pg_shadow-table.

Just apply the patch mod_auth_pgsql-pgsql-saltedmd5.patch and use
Auth_PG_encrypted ON
Auth_PG_hash_type MD5PGSQL

as new configuration parameters.

Update 2013-05-01: Patch accepted upstream.

sudo: pcre support for sudoers rules

In order to be more flexible in sudoer rules, I added pcre support to sudo (sudo-pcre.patch).

A pcre enabled sudo can e.g. use the following rules:
# only allow restart and status parameters for some initscripts
%operating ALL = /sbin/service (clamd|postfix|dhcpd|amavisd|postgrey) (restart|status)
# only allow to change password for usernames starting with a two numbers
%operating ALL = /usr/sbin/ [0-9][0-9][a-z-]+

Apache httpd ldap-auth: canonicalize usernames

I created a patch for Apache httpd for ldap-authentication (reported upstream as bug #646646). In my scenario I used

AuthLDAPRemoteUserAttribute uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthBasicProvider ldap

require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de

We always used lowercased usernames in memberUid. Some users tended to enter their usernames with a leading uppercase char. Password authentication worked, however, memberUid (from posixGroup, which is also used by samba domain groups) is case sensitive – so group authorization failed.

In order to fix this issue I created a patch for Apache httpd which allows to configure that the username Apache httpd uses is replaced by the “AuthLDAPRemoteUserAttribute”-field value of the ldap-result. This also helps to canonicalize usernames (in logs and REQUEST_USER environ variable) in the way that always the same casing and also for (ldap-)aliases the same username is used.