You can also use the 'Custom HTTPd' option in DirectAdmin controlpanel for the admin.@skaag
if you use mod_php + mod_ruid2
you should use .htaccess to change php variable per user
You can also use the 'Custom HTTPd' option in DirectAdmin controlpanel for the admin.@skaag
if you use mod_php + mod_ruid2
you should use .htaccess to change php variable per user
<Directory "/var/www/html">
RUidGid webapps webapps
<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>
Just found this out. For the webapps to run under webapps under the domain.tld/roundcube you need to add in /etc/httpd/conf/httpd.conf
In the
Code:<Directory "/var/www/html">
Code:RUidGid webapps webapps
so you have it like this
Code:<Directory "/var/www/html"> Options -Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all <IfModule mod_suphp.c> suPHP_Engine On suPHP_UserGroup webapps webapps SetEnv PHP_INI_SCAN_DIR </IfModule> RUidGid webapps webapps </Directory>
Makes sense, as you can see this was already done for suPHP.
>cat /etc/httpd/conf/httpd.conf | grep User
User apache
>cat /etc/httpd/conf/httpd.conf | grep Group
Group apache
>cat /etc/httpd/conf/httpd.conf | grep ruid
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
As I read, only exploit to SSL module can lead to root access, but still it can be abused. Anyhow, I'd like to see that as an option!Hello,
Having the ability to run php with CLI (more efficient than suPhp), but running as the User has clear advantages (write permissions) and also lets the secure_access_group option make home directories be more secure (without needing open_basedir, but keep it on). The only catch is the fact that apache would be running as root (don't quote me on this, I'd need to do some homework), but if there are any exploits in apache, ssl or a module, that would be a wide open door for full access to your box. I'm sure that they've taken as many security precautions as they can, but that fact still worries me slightly. (again, I'll have to read up on it to see if this worry is substantiated). If not, then we can look into it for a new project as a custombuild install option.
John
there are some security issues, for instance if attacker successfully exploits the httpd process,
he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
or something..
I've read that, but I'm not sure how that is so different from the current situation?"...The only catch is the fact that apache would be running as root...if there are any exploits in apache, ssl or a module, that would be a wide open door for full access to your box.
I agree. I like it that suEXEC covers CGI/SSI files, but for the other files, neither the current CLI nor suEXEC method covers those. Currently, we need to coordinate two incompatible security matrixes. And how difficult, is it to detect which user web applications are running on a site, and know where to check for improperly secured security/configuration/data files? With mod_ruid, security would be far more straightforward. That itself is a big security advantage. Not having to deal with two incompatible security matrixes also enables technologies such as WebDAV, and more."...running as the User has clear advantages (write permissions) and also lets the secure_access_group option make home directories be more secure
I agree wholeheartedly. Even if you could be sure there would never be a module vulnerability, with thousands of directories, how could one possibly manage security, or locate the source of an exploit? open_basedir clearly documents where access is possible.,,,(without needing open_basedir, but keep it on)
I noticed during my Googling that mod_ruid appears to be an option with Plesk/Parallels. That might be a good place to learn how they handle these issues.For those who don't understand the extra security risk by using this mod...It would be comforting if someone knew about this issue and whether its a true risk, and if theres something you can do about it. I've made an attempt to find it out as I pointed out in my previous post, but there has been nobody saying something about it, unfortunately.
From the README:With the intended use only normal users will get swapped. But because scripts are executed; php/cgi - theres a problem. These scripts can hijack/access the uid swapping stuff because of mod_ruid2. So with an evil script, and not secured, you can swap to root.
One cannot determine from that if the risks greater or less than suEXEC, which is a wrapper that does the same thing. One would THINK there would be little point in developing mod_ruid2 if it were easy to exploit, which is why the odds are that it would be worth the time to investigate. One might even counter by saying that logically mod_ruid2 might be less susceptible to exploit because it has the potential to run earlier because the file extension is not a consideration, and also because the file extension type is not a consideration. One might conclude from these two factors that it would be logical that mod_ruid2 would have a smaller attack surface.there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
If there is an exploit, they'd be in, running as apache. If there is an exploit with mod_ruid2, they'll be running as root... and there isn't much to slow that case down.I've read that, but I'm not sure how that is so different from the current situation?
Démarrage de httpd :Syntax error on line 39 of /usr/local/directadmin/data/users/admin/httpd.conf:
Invalid command 'php_admin_flag', perhaps misspelled or defined by a module not included in the server configuration
./build rewrite_confs
Démarrage de httpd :Syntax error on line 29 of /usr/local/directadmin/data/users/admin/httpd.conf:
Invalid command 'RMode', perhaps misspelled or defined by a module not included in the server configuration
cd /root/mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c
# yum install libc-client-devel.x86_64
# ln -s /usr/lib64/libc-client.a /usr/lib/libc-client.a
make clean your install php and compile php with these options in your configure options of php
--with-imap=/usr/lib64/
--with-imap-ssl
if you have an error
# yum install pam-devel
and retry