[HOWTO] mod_ruid2

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Hello everyone,

Since there are alot of people asking for it, here is my HowTo about mod_ruid2
This is based on my CentOS server with Apache 2.x.

Installing this module its no longer needed to chmod config files to 666 or upload/attachments directories to 777. Since with this module enabled everything @ HTTP will run under the user itself and not 'apache' anymore.

** If you are using mod_ruid instead of mod_ruid2, first of all remove the mod_ruid line from '/etc/httpd/conf/httpd.conf'

First, we are going to install libcap-devel
yum -y install libcap-devel
After this is done we are going to download and install mod_ruid2
wget -O mod_ruid2-0.9.7.tar.bz2 "http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.7.tar.bz2?r=&ts=1335638772&use_mirror=kent"
tar xjf mod_ruid2-0.9.7.tar.bz2
cd mod_ruid2-0.9.7
apxs -a -i -l cap -c mod_ruid2.c
Now, if you didn't get any errors mod_ruid2 should be installed and added to the '/etc/httpd/conf/httpd.conf'.
Lets confirm mod_ruid2 is added
grep 'mod_ruid2' /etc/httpd/conf/httpd.conf
If you get any response like below its installed
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
Now we need to modify the DA httpd.conf templates a little bit to enable mod_ruid2 for the users

Now copy the template files to custom
cd /usr/local/directadmin/data/templates/
cp virtual_host2* custom/
chown -R diradmin:diradmin custom/
Now you have copied the original templates to the 'custom' directory, so they won't be overwritten.
Code:
cd /usr/local/directadmin/data/templates/custom/
Now follow the steps below for each virtual_host2 file you've copied
nano -w virtual_host2.conf
## replace line: SuexecUserGroup |USER| |GROUP|
## replace with: #SuexecUserGroup |USER| |GROUP|
## Add the lines below under the just replaced line
RMode config
RUidGid |USER| |GROUP|
RGroups apache
Save the files and lets rewrite the HTTPd config files
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
If you want you can start the rewrite of the HTTPd config files manually, just paste the line below and wait when its done
/usr/local/directadmin/dataskq d800
After the rewrite is complete you can restart HTTPd with the command below
/etc/init.d/httpd restart
Now mod_ruid2 should be installed and you don't need to chmod anymore like 'chmod 666 config.php' or 'chmod 777 uploads'.

To be sure the webmail clients etc still works we need to change the owner permissions
chown -R webapps:webapps /var/www/html
Edit by NoBaloney; see posts 324 and 325, page 17 of this thread:
And last you need to modify httpd-directories.conf
Code:
nano -w /etc/httpd/conf/extra/httpd-directories.conf
Add the RUidGid line below between the <Directory "/var/www/html"> and </Directory>
Code:
<Directory "/var/www/html">
    Options -Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
        SetEnv PHP_INI_SCAN_DIR
   </IfModule>
   RUidGid webapps webapps
</Directory>
* Thanks to Arieh for this change.
End edit by NoBaloney

** Questions with Answers **
-------------------------------------------------------
Q: How can I test this is working?
A: Easy, install some CMS that you are used before. Like Wordpress, Joomla that required (before!!) chmod 666 or 777 to get install/working.

Q: I've dirs/files owned by apache for some users, must I change this?
A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore. Check below
Thanks for snk for the commands below, to fix the owner permissions of the dirs/files
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
* Added '&&' so if they do a typo, it won't change anything.


You are missing a question, or you have a question, please let me know and I'll try to answer them for you! :D
 
Last edited by a moderator:

snk

Verified User
Joined
Dec 19, 2007
Messages
102
Hi.
Thanks for How-to.

For those who use Debian:
Code:
aptitude install libcap2-dev
Q: I've dirs/files owned by apache for some users, must I change this?
A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore.
if you allow i will add to your how-to this part:
Code:
cd /usr/local/directadmin/scripts ; ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
cd /usr/local/directadmin/data/users
for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
It will reset owner of directory/files to users.
 
Last edited:

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Thanks snk for adding this, i've added it also to my post with thanks to you!
If someone has any questions, just ask here please!
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Would someone please explain why one would use mod_ruid2 instead of suPHP?

Thanks.

Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Can you explain in more detail what people can override with suPHP that they cannot override using mod_ruid, and how?

Jeff
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,199
Location
The Netherlands
As I understand it, the main reason to go for ruid is speed. An other benefit may be that the whole vhost is running under its own user, instead of only php (I think).

It uses posix 1003.1e capabilities, so it can switch uids of child processes. This way, it doesn't need to create and kill new child processes the whole time, which is the case with suphp (and mod_suid).

What mod_ruid (and mod_suid) say in their READMEs is the following security issue:

there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec), or something..
A howto and additional information on rsbac would be very appreciated! :)
 

Vibe

Verified User
Joined
Aug 3, 2005
Messages
111
Does anyone know if mod_ruid2 is compatible with FreeBSD 7.X?

On the older mod_ruid site the author states:

-it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
FreeBSD is "POSIX-compliant" so I would presume only minor issues might crop up. Any ideas?
 

Vibe

Verified User
Joined
Aug 3, 2005
Messages
111
That's exactly what I need to do :). I have been anxiously looking for a solution like this that doesn't utilize a lot of resources. I'll keep my fingers crossed and post back with my results.

Thanks much daveyw for the detailed how-to, it is greatly appreciated.
 

jimmy1987

Verified User
Joined
Apr 29, 2007
Messages
16
Would someone please explain why one would use mod_ruid2 instead of suPHP?

Thanks.

Jeff
The big advantage over suphp when using mod_ruid is that you can still use any accelerator like memcache, php accelerator etc etc.

And one can just use 1 php.ini for all sites.
 

massive

Verified User
Joined
Feb 16, 2006
Messages
299
Problem with PHP 4 installed as cgi

I 've found that mod_ruid isn't compatible with php4 installed as CGI (and php installed as mod_php)

Anybody who have the same problem?
 

mjokiel

Verified User
Joined
Nov 18, 2009
Messages
31
Could somebody let me know why i have still some processes owned by apache?

apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11949 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 11954 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 11960 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13394 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13404 5877 2 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13414 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13415 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13416 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13417 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

rest of the processes are under the user.
 

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Could somebody let me know why i have still some processes owned by apache?

apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL

rest of the processes are under the user.
That's because not everything running at the server is from the users. You got also http://hostname/webmail etc
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,199
Location
The Netherlands
In my experience it is also how it works, there is a certain number of childs, and when there comes a request from a website a childs user gets swapped with that websites request. A second later when the request is finished, it swaps back to apache waiting for another request.

So if you monitor processes with a few seconds interval you don't see all users showing up though there are requests. But if theres a high load from one or more childs, it probably means that a users website is causing it, so the request takes long - and you do see the user causing it - so you know where to look.
 

mjokiel

Verified User
Joined
Nov 18, 2009
Messages
31
But as you can see below there is a process under root user:

root 15367 1 0 12:14 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 7813 15367 1 12:31 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 9251 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9281 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9290 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9291 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9302 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9309 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9311 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9321 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9331 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9332 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

and this process is a parent process and other are child processes of the pid 15367.
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,199
Location
The Netherlands
Yes, apache runs as root, and it creates childs with the user apache (and with the case of ruid, that user gets swapped).
 

mjokiel

Verified User
Joined
Nov 18, 2009
Messages
31
I read also about some security issue, unfortunetly i am using Openvz and openvz kernel is not working with grsecurity as well.

Do you know some ways of protection?
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,199
Location
The Netherlands
Afraid I do not. My kernel was patched with grsecurity, before I used ruid I later found out. I'm not sure if a "standard patch" is enough though. Maybe someone else knows.
 
Top