DirectAdmin/CustomBuild: Removal of suPHP, mod_ruid2, mod_php, MySQL 5.5/5.6, MariaDB 5.5/10.0/10.1/10.2

[mart.maiste]

DirectAdmin intends to remove support of some outdated software:

* suPHP - (EOL 2013) - DA support will be dropped on 2023-01-01
* mod_ruid2 - (compatible with CentOS 7 only) - DA support will be dropped on 2023-01-01
* mod_php - DA support will be dropped on 2023-01-01
* MySQL 5.5, 5.6 - (EOL 2018-2021) - DA support will be dropped on 2023-04-01
* MariaDB 5.5, 10.0, 10.1, 10.2 (EOL 2020-2022) - DA support will be dropped on 2023-04-01

We anticipate this will affect only a minority of customers. With the next release of DirectAdmin, we will begin to send notifications through the DA Message System if any of these components are used.

We also invite feedback on other software that is not actively developed any more: webalizer and SquirrelMail, for example. Is anyone relying heavily on them? If convenience measures were provided, such as import functionality of SquirrelMail contacts to RoundCube, would this be seen as a good way to drop support for outdated software?

Are there any other components you see as outdated? Would you like to have a replacement for them?

While php-fpm allows to keep php files non-readable for others, the mod_ruid2 did the same for static files. Without mod_ruid2 all static web files should be readable for apache or are there any alternatives to keep them private?

 

[Richard G]

Without mod_ruid2 all static web files should be readable for apache or are there any alternatives to keep them private?

Why do you think so? With mod_ruid2 it was just that it took are with mod_php that php files were executed as the owner and not as apache.
With php-fpm it's a different process, but the effective use is still user:user and not user:apache.
As far as I know you can't read static files with php-fpm either.

 

[ccto]

Can we suppress "send notifications through the DA Message System" ?

Any configuration can be done via directadmin.conf ?

Thank you.

 

[mart.maiste]

Why do you think so? With mod_ruid2 it was just that it took are with mod_php that php files were executed as the owner and not as apache.
With php-fpm it's a different process, but the effective use is still user:user and not user:apache.
As far as I know you can't read static files with php-fpm either.

In my setup php-fpm handles php files and mod_ruid2 all other. With mod_ruid2 disabled Apache refuses to read and serve non-php files owned by user:user -rw-rw----
Sure, php files with same permissions are read and executed but the question is about static files.

 

[Richard G]

In my setup php-fpm handles php files and mod_ruid2 all other.

But mod_ruid2 shouldn't be combined with php-fpm anyway.
What kind of non-php files exactly with user:user -rw-rw---- are you using then which apache refuses to read? Can you give an example? So I can test?

 

[sparek]

I think the decision to drop support of mod_ruid2 has more to do with the death of the mod_ruid2 project. As far as I know, there's been no movement on the mod_ruid2 project in several years.

mod_ruid2 works by running the entire VirtualHost within the (defined) user's userspace. So even with mod_php, PHP files are executed as that user. Additionally raw text files, including HTML files, are read by that user. This means you could effectively chown user:user file.html and chmod 600 file.html and the file would still be viewable in a web browser because Apache would be reading everything in that VirtualHost as the user user.

With php-fpm, PHP is piped through a socket that is owned by the defined within the php-fpm's socket configuration. This means that PHP files (or whatever is attributed to that php-fpm socket) will execute as that user. This is why you can chown user:user file.php and chmod 600 file.php and the file will still show in a web browser. But HTML files that are chown user:user file.html and chmod 600 file.html will not display because the files are being read as the Apache user and there's not significant privileges (600) for other users to read the file. In this scenario, HTML and raw files would need to be chmod 644 file.html so that the read bit in other's spot can read the file (technically 604 would work).

While there's not really a way to prevent other users on the server from being able to also read these files with the other bit set to read - the argument for such kind of falls apart. If you have a raw file, like file.html in your public_html folder then all someone has to do is visit yourwebsite.com/file.html and it will be visible.

PHP files, especially ones that contain login information, should exist on your account with permissions of 600 to prevent other users from being able to read the file. And since PHP is executed as your user, the web server will still be able to read it.

 

[Richard G]

PHP files, especially ones that contain login information, should exist on your account with permissions of 600 to prevent other users from being able to read the file.

This is confusing to me.
If this is correct, then why do various scripts amongst which Wordpress and forums, have their config file like wp-config.php just 644. They contain login information too but they can't be read. But maybe the .htaccess is doing that.

On the other hand....using chmod 600 on such fill won't make any difference because php files with chmod 600 can also be read, at least I tested this with a normal php file, copied it to another filename and used chmod 600 on it. And it still got displayed in the browser without any problem.

Which is why I was curious as to why mod_ruid2 would be needed (with an example) in php-fpm with non-php files, especially because it's advised to disable mod_ruid2 when using php-fpm.

 

[sparek]

This is confusing to me.
If this is correct, then why do various scripts amongst which Wordpress and forums, have their config file like wp-config.php just 644.

Ultimately you'd have to ask them. Probably because of the fact that the script developers really can't know what kind of PHP environment the user is going to be using. 644 is a more open permission. 644 will work in a mod_php, mod_ruid2, php-fpm, suphp, phpsuexec environment - effectively every environment. Is it the best solution? Probably not. But at some point the security of your site becomes your responsibility and not the script developer's.

On the other hand....using chmod 600 on such fill won't make any difference because php files with chmod 600 can also be read, at least I tested this with a normal php file, copied it to another filename and used chmod 600 on it. And it still got displayed in the browser without any problem.

The PHP output is displayed in the browser, but the PHP code is not.

Create a file - file.php with:

<?php $login = "root"; $password = "thecakeisalie"; ?> HELLO WOLRD! ?>

Then chmod 600 file.php - When you visit the file in a browser, what is shown? Are you able to see the login and password information?

Log into the server as another user via shell and try to read the file - cat /home/user/public_html/file.php - can you read it?

That is what what chmod 600 file.php in a PHP-FPM environment (or any PHP environment that executes PHP as the user) will give you. In a mod_ruid2 environment the WHOLE VirtualHost is run as the user, so EVERY file could be set to 600 (or 400 for just the user read bit) and it would still operate.

Way back when - when the whole "symlink protection" was a thing - malicious users on a server (or an account that had been compromised) would create symlinks from another account on the server to the current account: ln -s /home/user/public_html/file.php /home/myuser/public_html/file.txt - which would allow the user to visit myuser's website - myuser.com/file.txt - to read the contents of /home/user/public_html/file.php. But if you properly understood the Linux filesystem permissions, then this didn't affect you. If /home/user/public_html/file.php is owned by user:user and has a permission of 600, then only user can read or write to that file - myuser doesn't have any permission to read it.

This is why any PHP file that contains database login information, such as wp-config.php - and IF you are operating in an environment where PHP files are executed as the user of that web hosting account, whether that be php-fpm, suphp, phpsuexec or at the Apache level with mod_ruid2, then they should be set to permissions of 600, to prevent other or world users on the server from being able to read the file.

Effectively, the whole symlink protection thing took advantage of people's misunderstanding or not understanding the role that file permissions have in Linux.

 

[Richard G]

Are you able to see the login and password information?

No, but that prooves my point, it isn't shown either if I use 644 on that file.

Yes indeed mod_ruid works differently. It's some years ago that I used mod_php with mod_ruid so I don't remember everything, to used to php-fpm now.

I remember the symlink and open basedir issues from the past. We even managed to read databases from other accounts on the same server, those were the real insecure times.

then they should be set to permissions of 600, to prevent other or world users on the server from being able to read the file.

Yes on insecure servers or if you don't know how secure they are. However, this is mostly not done anymore nowadays. And not only with WP but also with forum software like phpBB, Xenforo, IPB, and also other scripts.
Previously, several years ago, there was this check and the scripts warned users to please chmod certain files and directory's to resp. 600 and 700 or something similar, but you hardly see those check pages anymore.

Ofcourse I agree with you that security of ones site is mostly ones own responsibility.

However still it has always been advised to disable mod_ruid when starting to use php-fpm.
At CP I read:

You would be unable to use both http2 and mod_ruid2 together since they are incompatible.

So we are running http2, which would mean we can't run mod_ruid2 anyway anymore.

 

[mart.maiste]

But mod_ruid2 shouldn't be combined with php-fpm anyway.
What kind of non-php files exactly with user:user -rw-rw---- are you using then which apache refuses to read? Can you give an example? So I can test?

If you have a Wordpress install under public_html and remove privileges for "others": chmod o-rwx -R public_html then without mod_ruid2 you get Forbidden error in browser and error log says that you lack privileges for public_html/.htaccess file. Also all the static files/images are not accessible for the same reason.
There are arguments that web files are public anyway but this is not true for private websites that are protected with basic auth or other means. Small Nextcloud instance would be one example. Not that I would recommend hosting any private files in shared hosting server.
For me it just seems more secure when users cannot see each other files.
Meanwhile I can see from other posts and replies that even if the mod_ruid2 is actually useful there is no way to keep it included and there is no alternative either.

 

[Richard G]

Also all the static files/images are not accessible for the same reason.

I understand if you want to chmod certain files. I don't know why you should change the public_html folder privileges.
As you can see, on normal use even with chmod 600 the .htaccess can be used by the webserver, as can the image files, because php-fpm is reading them, not apache.

Directadmin is not intended for small private sites but for shared hosting although it can be used for anything, but changing the permissions of the public_html folder is doing some very special customizing.
I also have some private files online, which are protected by both .htaccess with ip and/or password limitations in them and also by the open basedir and symlink protection. So that should not be a such a big issue.
Also the downside is that you can't use http2, and using multiple php versions can give issues too.
So there might be some downside on a few sites like yours by not using mod_ruid2, but it also has it's benefits to go over to php-fpm. Be sure I also waited several years before going over from mod_ruid2 to php-fpm.

Mod_ruid2 is still update by an external party, the Raven repository. I see also cPanel still has it present. So maybe it can be used that way if DA keeps at their decision to remove it.

 

[CrazyFrog]

Oh damn! We use mod_php and I only received the email from my DA now since setting up a new server for testing purposes. We use mod_php as we combined it with mod_apparmor to confine the virtualhosts within their path, so we have some customized vhost templates, I guess it will be some work to change this.

Edit: I found https://docs.directadmin.com/webservices/php/general.html#how-to-switch-to-php-fpm and can start experimenting from that. But it will take some time to schedule the work for all servers.

What can I expect to happen in the meantime? mod_php seems still working now, at least my upgraded machine has not broken yet. Will DirectAdmin do auto-updates that could break my webserver at a random moment? If so, is it better if I hold off updating DA from a pre-2023 version on my production machines until I got the whole switch to PHP-FPM worked out? Or can I safely update now mod_php is still working on the current DA?

 

[iamthezio]

Okay, how do you tell if a site uses mod_php and how do you remove/replace? CLI responses also appreciated.

 

[Richard G]

how do you tell if a site uses mod_php

You check your options.conf in the custombuild directory if it contains mod_php or not. You should not use mod_php in combination with php-fpm anyway.
As for the change from mod-php to php-fpm... there are multiple threads about how that is done, also via CLI.

 

[iamthezio]

You check your options.conf in the custombuild directory if it contains mod_php or not. You should not use mod_php in combination with php-fpm anyway.
As for the change from mod-php to php-fpm... there are multiple threads about how that is done, also via CLI.

Thanks Richard, I cannot find any of those threads with explicit instructions.
I did do this on my Cento7 systems with PHP 7.4, and 8.0 used.

cd /usr/local/directadmin/custombuild
./build update
./build set php1_mode php-fpm
./build set mod_ruid2 no
./build set_php htscanner yes
./build mod_htscanner2
./build php n
./build rewrite_confs

But now Roundcube gives an Internal Error. Going to yum update, then ./build update one more time.

That worked, all good now. Thanks for the help.

 

[Richard G]

I cannot find any of those threads with explicit instructions.

Yes sometimes it's hard to find it. I often use google and then search and put directadmin.com behind it and then I find it easier than with the forum search function.

However, I forgot to mention that it's also in the docs and it seems you found that, because thats exactly how it should be done as you did.

Glad to hear everything is working again!

 

[turbo2ltr]

I love how this happened on the first and 17 days later was the first day I got a notice that a change was even happening. It coincided with the update from v1.644 to v1.645. You need to do better DA. Notification of a breaking change 17 days after it is due to happen is not acceptable.

I am on Centos7. I'm seeing:

mod_ruid2: 0.9.8
MySQL: 5.7.40
PHP (default): 7.4 as mod_php

So now I'm worried that my server will break at any moment. Guess i have some reading to do about php-fpm
I will try the steps @iamthezio outlined.

 

[Amoled]

So I didn't understand, mod_php and mod_ruid2 are already disabled in v1.646?
In general, I am extremely disappointed. On any web hosting 99% of sites use htaccess, and it is difficult to imagine the amount of work that will appear if necessary to redo thousands of sites in php-fpm configuration. I'm not even talking about the fact that so far 99% of all CMS supplies configurations only in htaccess format. This increases the load on technical support at times.

Tell us exactly when mod_php will be disabled so that we disable auto-update in advance and look for a DirectAdmin replacement.

 

[Ohm J]

@Amoled
Just enable "htscanner", you will happy with php-fpm.

 

[sparek]

On any web hosting 99% of sites use htaccess, and it is difficult to imagine the amount of work that will appear if necessary to redo thousands of sites in php-fpm configuration. I'm not even talking about the fact that so far 99% of all CMS supplies configurations only in htaccess format. This increases the load on technical support at times.

Leaving PHP controls to the .htaccess file or to end-user control can be a recipe for disaster.

For example, if you let your end users set PHP directives such as memory_limit without prejudice then this can lead to one account consuming all of the resources on the server. Imagine all end users just setting their PHP memory_limit to 50GB because some guide told them it would fix their problem.

This used to be a similar issue with mod_security. I remember countless script installation guides instructing users to disable mod_security in their .htaccess file because it interferes with the operation of the script. Then the rest of the account becomes vulnerable to all of the protections that would have been afforded with mod_security.

There has to be some forethought into the decisions that are made.