[HOWTO] mod_ruid2

I don't think mod_ruid2 prevents dirs/files with 777 being loaded, others like suphp do that.

Also although I changed that 711 to 755 in the wiki, I just did some testing:

If I chmod public_html to 711, or even just 700: php files are still able to create files and dirs. Same works on subdirs. So I don't really think 755 is necessary anywhere for apache.

Also if I chmod a public_html 777 and create a file in there with 777, I still can't read it from another user. I suppose because the parent dirs don't allow execute for others.

Right now I'm not sure what the default should be.
 
Mmmh i did had time ago a customer complain for server problem cause page wasnt going to get loaded and the reason was his config.php file that was 777 (cause the instruction says to chmod that way, customer just did...), restored to 644 made the site work again.

Never used suphp so actually i thot was mod_ruid2 acting to block that and prevent problem...

Thats why i did suggest that :)

Regards
 
Heh!
I'm using CB1.2 with mod_ruid 0.9.7 (.so) .. updated DA to 1.43 two days ago and I didn't even noticed I have a problem if I don't keep reading this thread up-to-date weekly :)
And here it is... all as Richard G described..

Shame I'm on an internal license so I can't use fix right now, have to wait for DA 1.43.1, right.

A little offtopic question: any clues on switching CB1.2->CB2.0 now, any how-to exists? Thanks in advance.
 
Tootle said:
[..]A little offtopic question: any clues on switching CB1.2->CB2.0 now, any how-to exists? Thanks in advance.
Click to expand...

I have found this: http://forum.directadmin.com/showthread.php?t=45533&p=233025#post233025 it is reply #7 from smtalk, it is in the quoted text. I don't know if this is complete enough or not, maybe there is more that need to be done. Currently I am running suPHP and custombuild 1.2. I am planning to upgrade to custombuild 2.0 in about 6 month and continue to use suPHP. Then if everything works correct in custombuild 2.0, then I am planning to convert from suPHP to mod_ruid2 (custombuild version of ruid2). Hopefully there will be someone posting a complete guide/how-to convert from suPHP to ruid2 in custombuild 2.0 before 6 month. :)
 
I just tested a CB 1.2 version with the prerelease binaries, without using solution #2 as given bij DA support (so no copying the virtual_host2.conf and removing the if statement) and indeed everything is working fine now.
 
Richard G said:
I just tested a CB 1.2 version with the prerelease binaries, without using solution #2 as given bij DA support (so no copying the virtual_host2.conf and removing the if statement) and indeed everything is working fine now.
Click to expand...

Thanks Richard,
I did the 2
2) or create custom templates.. and either remove the |*if HAVE_RUID2="1"| line completely (and the|*endif|)...
Click to expand...
after your post :P ... and with no pre-binaries but on the DA 1.34... and as I can see it's working!
I thought there were more than just removing IF statement in template to fix this :P

ditto said:
I have found this: http://forum.directadmin.com/showthread.php?t=45533&p=233025#post233025 it is reply #7 from smtalk,
Click to expand...
Thanks, Ditto. I have second VPS with the same config like you (suPHP and custombuild 1.2) and want CB2 with mod_ruid2 in future.
On the other hand.. Never done DA install before, so runing ./build on a working CB1.2 install looks like a rather 'reconfigure-all-from-begining' process to me. But I want to be wrong :)
 
@Tootle: You're welcome. The solution #2 is the best way if it's not possible to use pre-release binaries or if one does not want to wait for 1.43.1 or upgrade to CB 2.0.
You can also upgrade to mod_ruid2 0.9.8 in the meantime.

You all are correct. It -is- still possible to use 777 on files or directory's when using mod_ruid2 but this can cause "500 internal server error" problems. So if your customers complaint about "internal server error", check if they have 777 directory's.
Still on Centovacast i need to put sc_serv and another binarie to 777, even under mod_ruid2 because otherwise the setup won't go further. So not all scripts are as good as they should be.
After installation reverting the files to 755 normally works.

I think I remember, on the Duch forum it was said sometime somewhere that it was possible to configure mod_ruid2 or use another function to disallow 777 directory's and files when using mod_ruid2. However, as said, I don't remember where and how.
maybe Arieh knows or remembers something about that.
 
SeLLeRoNe said:
yes, they will, but, you will need to do a little thing more, change all folder/file permissions or this will not work as it should.

Setting folder to 755 and files to 644 (two easy commands from post #1) will let everything work as it should.

Regarding the new site, yes, they will directly work, old site, if they have 777 files and/or folder, they should produce errors cause mod_ruid2 will prevent to get loaded.

Hope ive been clear, if not, feel free also to contact me via e-mail or msn/skype for eventually live assistance.
Click to expand...
Very clear, Andrea. The thread was getting a bit confusing and I want to build some new servers over the weekend. Do you know, when I restore old sites from an admin reseller backup, if they'll be restored with the right permissions?

Thanks.

And for everyone else, I would never leave permissions as 777. Can you say 'world writable' :)

Jeff
 
I suppose they will be restored with permission they had during backup, not sure if any script is called to fix those on restore, you would need to check for be sure once restored the permission inside public_html or just whole-rewrite them using commands on first post for have the certain that is everything fine.

Regards
 
Thanks, Andrea. I'm thinking you're probably right, and I'll check the next time I move sites between servers.

Jeff
 
Ok, updated mod_ruid.so to 0.9.8, great.
Everything looks like working :
PHP: 
<?php print exec('whoami'); ?>
displays current user correctly, creating files (correct owner) and so on OK but what about $ ps aux, htop shows only user apache

Code: 
apache   23918  0.0  1.2  44024 19240 ?        S    21:48   0:00 /usr/sbin/httpd -k start -DSSL
apache   23919  0.0  0.9  40344 15704 ?        S    21:48   0:00 /usr/sbin/httpd -k start -DSSL
...
expecting something different in user column, right?

Second question: Why is mod_ruid2 suppose to work even if just only loaded (LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so in httpd.conf) but NO RUidGid,RGroups directives are present anywhere.. according to manual there are no default RUid/Gid
Somebody asked here http://forum.directadmin.com/showthread.php?t=41785&p=211040#post211040 (no answer)
Code: 
RMode config|stat (default is config)
 RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid

 RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid
 RDefaultUidGid user|#uid group|#gid

 RGroups group1 group2 - aditional groups set via setgroups
 @none - clear all previous defined groups.

 RDocumentChrRoot - Set chroot directory and the document root inside
 
expecting something different in user column, right?
Click to expand...
No, as you can see from your httpd.conf apache still runs as user apache:access. So it's normal to see apache in ps aux.

Second question: Why is mod_ruid2 suppose to work even if just only loaded (LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so in httpd.conf)
Click to expand...
That is because DA looks if the module is loaded. If yes it puts the mod_ruid container in the users httpd.conf in /usr/local/directadmin/data/username/httpd.conf.
However, you got a chance that not everything is working then as designed. In the thread you mentioned is also an answer now which refers to that.
 
By the way....
Code: 
<?php print exec('whoami'); ?>
If i was you, I would think about securing php if possible, I get a white screen when using this.:)

Because this is my php.ini disable_functions line:
Code: 
exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,virtual
Normally this works great. Some scripts like Centovacast and Castcontrol don't like this.
 
It may be possible that if you don't define a RUidGid anywhere the mod_ruid2 will function as stat mode and will run under the user the file belongs to.

Also if you run ps aux you indeed see most of the times apache, it's because of the way mod_ruid2 works: it swaps uids of those processes. Most of the times it goes very quickly so you won't see it. If you have a heavy script a child would stay longer to a user and you would notice it.
 
@Richard G - thanks, yes, that's important but I have the functions already secured via php.ini disable_functions and suhosin.executor.func.blacklist but allowed for a while to do the test 'if-mod_ruid-is-working' :D

@Arieh - yep, that would be the answers. I simply thought I'll try to achieve some kind of 'per-user-like-usage' infos (with DSO and mod_ruid2) and maybe do some scripting in the future to improve my liitle shared env :p

Much appreciate.
Thanks guys.
 
Hi,

I have followed the guide and successfully installed mod_ruid2 to my server.

But now all of my website could not be loaded, the error log file is increasing massively with the main error is:

[error] [client x.x.x.x] PHP Warning: readdir() expects parameter 1 to be resource, , boolean given in /home/xxx/domains/xxx.com/public_html/libraries/joomla/filesystem/folder.php on line 424

Please help me :(

Thank you very much !
 
Are you running Directadmin 1.43? And which guide did you follow?

Probably you forgot to copy the virtual_host2.conf files due toe the bug in DA 1.43.

I think the fastest way to fix this is to do the installation again and follow this guide:
http://wiki.amservers.nl/Mod_ruid2
and then use solution number 2 in this post:
http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715
to fix the 1.43 problem or install the DA pre-release binaries before you start implementing mod_ruid2.
 
Richard G said:
Are you running Directadmin 1.43? And which guide did you follow?

Probably you forgot to copy the virtual_host2.conf files due toe the bug in DA 1.43.

I think the fastest way to fix this is to do the installation again and follow this guide:
http://wiki.amservers.nl/Mod_ruid2
and then use solution number 2 in this post:
http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715
to fix the 1.43 problem or install the DA pre-release binaries before you start implementing mod_ruid2.
Click to expand...

Dear Richard

Thank you for your reply. Yes I'm running DirectAdmin 1.43

I have followed the guide in the first post, and http://wiki.amservers.nl/Mod_ruid2

Then use solution number 2 in post http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715

Now the error is gone away, there is also a notice that mod_ruid2 is enabled when starting up httpd service.

But the permission seems not to be changed, when I uploaded an image by Joomla administration, its GID stills be apache, and UID is 503.

Did I missed something ?

Thank you very much !
 
I am about to install a new server. I want to use custombuild 2.0 and php cli with mod_ruid2.

Question: In custombuild 2.0, does custombuild do all the needed configuration of mod_ruid2 when I do ./build mod_ruid2?

Or does I need to manually configure settings in mod_ruid2 myself?

Please note, I only want to run ONE version of php, it will be php 5.4.
 
LocNguyen said:
But the permission seems not to be changed, when I uploaded an image by Joomla administration, its GID stills be apache, and UID is 503.

Did I missed something ?
Click to expand...
If you have followed the guide on wiki.amservers.nl you should not have missed something. However, in that case uploaded images should not have apache and UID503.
Did you think of converting the existing accounts like this?
Code: 
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 755
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
And after you copied the virtual_host2.conf files and removed the 2 lines mentioned, did you run this?
Code: 
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

If yes, check your owner and permissions of your public_html and the rest of your joomla installation. Nothing should be made 777 anymore. Also check /usr/local/directadmin/data/users/username/httpd.conf from the user of the Joomla installation, to see if the mod_ruid lines are in that httpd.conf.
They shound contain these lines:
Code: 
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid username username
                RGroups apache access
        </IfModule>
If not present, you forgot something somewhere.
 
You must log in or register to reply here.
Back
Top