Page 1 of 31 12311 ... LastLast
Results 1 to 20 of 609

Thread: [HOWTO] mod_ruid2

  1. #1
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702

    [HOWTO] mod_ruid2

    Hello everyone,

    Since there are alot of people asking for it, here is my HowTo about mod_ruid2
    This is based on my CentOS server with Apache 2.x.

    Installing this module its no longer needed to chmod config files to 666 or upload/attachments directories to 777. Since with this module enabled everything @ HTTP will run under the user itself and not 'apache' anymore.

    ** If you are using mod_ruid instead of mod_ruid2, first of all remove the mod_ruid line from '/etc/httpd/conf/httpd.conf'

    First, we are going to install libcap-devel
    yum -y install libcap-devel
    After this is done we are going to download and install mod_ruid2
    wget -O mod_ruid2-0.9.7.tar.bz2 "http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.7.tar.bz2?r=&ts=1335638772&use_mirror=kent"
    tar xjf mod_ruid2-0.9.7.tar.bz2
    cd mod_ruid2-0.9.7
    apxs -a -i -l cap -c mod_ruid2.c
    Now, if you didn't get any errors mod_ruid2 should be installed and added to the '/etc/httpd/conf/httpd.conf'.
    Lets confirm mod_ruid2 is added
    grep 'mod_ruid2' /etc/httpd/conf/httpd.conf
    If you get any response like below its installed
    LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
    Now we need to modify the DA httpd.conf templates a little bit to enable mod_ruid2 for the users

    Now copy the template files to custom
    cd /usr/local/directadmin/data/templates/
    cp virtual_host2* custom/
    chown -R diradmin:diradmin custom/
    Now you have copied the original templates to the 'custom' directory, so they won't be overwritten.
    Code:
    cd /usr/local/directadmin/data/templates/custom/
    Now follow the steps below for each virtual_host2 file you've copied
    nano -w virtual_host2.conf
    ## replace line: SuexecUserGroup |USER| |GROUP|
    ## replace with: #SuexecUserGroup |USER| |GROUP|
    ## Add the lines below under the just replaced line
    RMode config
    RUidGid |USER| |GROUP|
    RGroups apache
    Save the files and lets rewrite the HTTPd config files
    echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
    If you want you can start the rewrite of the HTTPd config files manually, just paste the line below and wait when its done
    /usr/local/directadmin/dataskq d800
    After the rewrite is complete you can restart HTTPd with the command below
    /etc/init.d/httpd restart
    Now mod_ruid2 should be installed and you don't need to chmod anymore like 'chmod 666 config.php' or 'chmod 777 uploads'.

    To be sure the webmail clients etc still works we need to change the owner permissions
    chown -R webapps:webapps /var/www/html
    Edit by NoBaloney; see posts 324 and 325, page 17 of this thread:
    And last you need to modify httpd-directories.conf
    Code:
    nano -w /etc/httpd/conf/extra/httpd-directories.conf
    Add the RUidGid line below between the <Directory "/var/www/html"> and </Directory>
    Code:
    <Directory "/var/www/html">
        Options -Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
       <IfModule mod_suphp.c>
            suPHP_Engine On
            suPHP_UserGroup webapps webapps
            SetEnv PHP_INI_SCAN_DIR
       </IfModule>
       RUidGid webapps webapps
    </Directory>
    * Thanks to Arieh for this change.
    End edit by NoBaloney

    ** Questions with Answers **
    -------------------------------------------------------
    Q: How can I test this is working?
    A: Easy, install some CMS that you are used before. Like Wordpress, Joomla that required (before!!) chmod 666 or 777 to get install/working.

    Q: I've dirs/files owned by apache for some users, must I change this?
    A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore. Check below
    Thanks for snk for the commands below, to fix the owner permissions of the dirs/files
    cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
    find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
    find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
    find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
    find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
    find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
    cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
    * Added '&&' so if they do a typo, it won't change anything.


    You are missing a question, or you have a question, please let me know and I'll try to answer them for you!
    Last edited by smtalk; 10-28-2012 at 01:00 PM. Reason: Updated mod_ruid2 version to 0.9.7 to support Apache 2.4.
    Why most people reboot the server when they have a problem

  2. #2
    Join Date
    Dec 2007
    Posts
    102
    Hi.
    Thanks for How-to.

    For those who use Debian:
    Code:
    aptitude install libcap2-dev
    Q: I've dirs/files owned by apache for some users, must I change this?
    A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore.
    if you allow i will add to your how-to this part:
    Code:
    cd /usr/local/directadmin/scripts ; ./set_permissions.sh user_homes
    find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
    find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
    cd /usr/local/directadmin/data/users
    for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
    It will reset owner of directory/files to users.
    Last edited by snk; 08-26-2010 at 07:55 PM.

  3. #3
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Thanks snk for adding this, i've added it also to my post with thanks to you!
    If someone has any questions, just ask here please!
    Why most people reboot the server when they have a problem

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Would someone please explain why one would use mod_ruid2 instead of suPHP?

    Thanks.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Quote Originally Posted by jlasman View Post
    Would someone please explain why one would use mod_ruid2 instead of suPHP?
    What I know about it is that people can set self PHP settings etc to overrule it. With mod_ruid that is not possible.
    Why most people reboot the server when they have a problem

  6. #6
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Can you explain in more detail what people can override with suPHP that they cannot override using mod_ruid, and how?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #7
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    As I understand it, the main reason to go for ruid is speed. An other benefit may be that the whole vhost is running under its own user, instead of only php (I think).

    It uses posix 1003.1e capabilities, so it can switch uids of child processes. This way, it doesn't need to create and kill new child processes the whole time, which is the case with suphp (and mod_suid).

    What mod_ruid (and mod_suid) say in their READMEs is the following security issue:

    there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec), or something..
    A howto and additional information on rsbac would be very appreciated!

  8. #8
    Join Date
    Aug 2005
    Posts
    94
    Does anyone know if mod_ruid2 is compatible with FreeBSD 7.X?

    On the older mod_ruid site the author states:

    -it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
    FreeBSD is "POSIX-compliant" so I would presume only minor issues might crop up. Any ideas?

  9. #9
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Quote Originally Posted by Vibe View Post
    Does anyone know if mod_ruid2 is compatible with FreeBSD 7.X?
    You could try it on a test server with FreeBSD 7.x ?
    We dont have any BSD systems so I can't test it for you.
    Why most people reboot the server when they have a problem

  10. #10
    Join Date
    Aug 2005
    Posts
    94
    That's exactly what I need to do . I have been anxiously looking for a solution like this that doesn't utilize a lot of resources. I'll keep my fingers crossed and post back with my results.

    Thanks much daveyw for the detailed how-to, it is greatly appreciated.

  11. #11
    Join Date
    Apr 2007
    Posts
    16
    Quote Originally Posted by jlasman View Post
    Would someone please explain why one would use mod_ruid2 instead of suPHP?

    Thanks.

    Jeff
    The big advantage over suphp when using mod_ruid is that you can still use any accelerator like memcache, php accelerator etc etc.

    And one can just use 1 php.ini for all sites.

  12. #12
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Quote Originally Posted by jimmy1987 View Post
    And one can just use 1 php.ini for all sites.
    Is that an advantage? Or a disadvantage?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  13. #13
    Join Date
    Feb 2006
    Posts
    296

    Problem with PHP 4 installed as cgi

    I 've found that mod_ruid isn't compatible with php4 installed as CGI (and php installed as mod_php)

    Anybody who have the same problem?

  14. #14
    Join Date
    Nov 2009
    Posts
    31
    Could somebody let me know why i have still some processes owned by apache?

    apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
    apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
    apache 11949 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 11954 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 11960 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13394 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13404 5877 2 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13414 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13415 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13416 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 13417 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

    rest of the processes are under the user.

  15. #15
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Quote Originally Posted by mjokiel View Post
    Could somebody let me know why i have still some processes owned by apache?

    apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
    apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL

    rest of the processes are under the user.
    That's because not everything running at the server is from the users. You got also http://hostname/webmail etc
    Why most people reboot the server when they have a problem

  16. #16
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    In my experience it is also how it works, there is a certain number of childs, and when there comes a request from a website a childs user gets swapped with that websites request. A second later when the request is finished, it swaps back to apache waiting for another request.

    So if you monitor processes with a few seconds interval you don't see all users showing up though there are requests. But if theres a high load from one or more childs, it probably means that a users website is causing it, so the request takes long - and you do see the user causing it - so you know where to look.

  17. #17
    Join Date
    Nov 2009
    Posts
    31
    But as you can see below there is a process under root user:

    root 15367 1 0 12:14 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 7813 15367 1 12:31 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
    apache 9251 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9281 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9290 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9291 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9302 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9309 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9311 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9321 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9331 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
    apache 9332 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

    and this process is a parent process and other are child processes of the pid 15367.

  18. #18
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    Yes, apache runs as root, and it creates childs with the user apache (and with the case of ruid, that user gets swapped).

  19. #19
    Join Date
    Nov 2009
    Posts
    31
    I read also about some security issue, unfortunetly i am using Openvz and openvz kernel is not working with grsecurity as well.

    Do you know some ways of protection?

  20. #20
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    Afraid I do not. My kernel was patched with grsecurity, before I used ruid I later found out. I'm not sure if a "standard patch" is enough though. Maybe someone else knows.

Page 1 of 31 12311 ... LastLast

Similar Threads

  1. mod_Security2 & mod_ruid2 compatibility
    By Peter Laws in forum General Technical Discussion & Troubleshooting
    Replies: 0
    Last Post: 01-26-2013, 01:07 AM
  2. Squirrelmail problem with mod_ruid2
    By nobaloney in forum E-Mail
    Replies: 4
    Last Post: 04-07-2012, 10:04 AM
  3. Is my mod_ruid2 correct installed?
    By Aar in forum General Technical Discussion & Troubleshooting
    Replies: 9
    Last Post: 10-02-2011, 09:06 AM
  4. mod_ruid2 discussion
    By Peter Laws in forum DirectAdmin General Discussion
    Replies: 0
    Last Post: 09-20-2011, 03:33 AM
  5. Add mod_ruid2 + WebDAV to custombuild
    By IT_Architect in forum Feedback & Feature Requests
    Replies: 2
    Last Post: 08-03-2011, 03:33 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •