[HOWTO] mod_ruid2

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,114
Location
GMT +7.00
Would mod_ruid2 work with both PHP5.2 & PHP5.3 on the same DA installation?
has any1 tried this...?
A week ago or so, I've done PHP5.3+mod_ruid2 and PHP5.2+mod_suPHP (both versions on one server), and a plugin to switch the versions for one of customers of mine. If you want it, I can do it for you too.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,792
Location
A Coruña, Spain
And was you able to use for every user you want? Cause the trouble i get is to set in suphp.conf the user (one i suppose can be specified) that will use suphp instead or cli.

Regards
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,114
Location
GMT +7.00
Yes, I've found a solution (sorry for some reasons I won't share it for free at least for now). Every user can switch the versions of PHP in Directadmin.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,792
Location
A Coruña, Spain
NP i really dont need it, cause i had to use 5.2 with just one user, but was curios to understand if you did found a solution or i had bad understood :)

Regards
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
I will share it for free:
Code:
cd /usr/local/directadmin/custombuild
wget -O suphp-0.7.1.tar.gz http://files.directadmin.com/services/custombuild/suphp-0.7.1.tar.gz
tar xzf suphp-0.7.1.tar.gz
cd suphp-0.7.1
wget -O ./src/Application.cpp http://www.custombuild.eu/Application.cpp
../configure/suphp/configure.suphp
make
make install
Restart apache now. CustomBuild 2.0 will probably have an ability to install mod_ruid2+PHP as CGI, but I cannot promiss it to you.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,114
Location
GMT +7.00
@Martynas, good of you.

Hmm,

Code:
# diff Application.cpp Application.cpp-orig
171a172,176
>     if (api.getRealProcessUser() !=
>         api.getUserInfo(config.getWebserverUser())) {
>         throw SecurityException("Calling user is not webserver user!",
>                                 __FILE__, __LINE__);
>     }
I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
So this will let suphp work with mod_ruid2 without need to edit suphp.conf as you noticed on my server time ago?

Regards
Yes, it will. I'll probably modify the file more, but now it is as simple as possible and works well, of course :)
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
@Martynas, good of you.

Hmm,

Code:
# diff Application.cpp Application.cpp-orig
171a172,176
>     if (api.getRealProcessUser() !=
>         api.getUserInfo(config.getWebserverUser())) {
>         throw SecurityException("Calling user is not webserver user!",
>                                 __FILE__, __LINE__);
>     }
I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?
PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,792
Location
A Coruña, Spain
Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks
You can run them anytime. It's just a matter of suPHP reinstallation. When I have time, I'll probably modify suPHP script to make it more efficacious and not "reset" the owner of the process to the same one second time. However, it always did that, so it needs to be considered if we should modify suPHP source more, implement our own solution or just disallow users installing a second instance of PHP with mod_ruid2.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,114
Location
GMT +7.00
PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.
Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.
It does check if files are not owned by superuser. mod_ruid2 adds the first level of security. Also, suPHP_UserGroup is set in DA templates, so files cannot be owned by any other users.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,759
Location
LT, EU
However, that would provide users ability to call suPHP binary file. That might (or might not) be a security issue, and needs further analysis of suPHP code (or just hardening of suPHP binary).
 

Voland

Verified User
Joined
May 21, 2005
Messages
66
Hello Guys!

Have problem with squirrelmail and temporary link
when I'm using

RUidGid webapps webapps

in /etc/httpd/conf/extra/httpd-vhosts.conf
everytning in /var/www/html working fine
but IP/~username gives forbidden

when using:

RMode config
RUidGid apache access
RGroups apache

temporary links works fine but Squirrelmail doesn't work with: cannot access default.prefs error

/var/www/html has chowned to: webapps webapps

can anyone give solution for both to work normally?
And please add solution to the first post
Thank you
 

pppplus

Verified User
Joined
Dec 19, 2008
Messages
518
With mod_ruid2, it seems to be impossible to use APC cache.
I read mod_ruid2 is like su-php, and APC cache does not work with APC cache.

Which cache do you use ?
I try eaccelerator on another server (without mod_ruid2) but I have to disable openbasedir, and I can't do this on this server.

So, can you tell me which PHP Cache you use.


To voland : to use IP/~username, you have to turn /home/username to 0711 instead of 0710
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
I'm beginning to think we may not need open_basedir when using mod_ruid2. Any comments from anyone?

Jeff
 
Top