[HOWTO] mod_ruid2

It shows as ;

Code: 
 1 root    15   0 19208 1436 1212 S  0.0  0.1   0:00.69 init
 1161 root         14  -4 10648  568  316 S  0.0  0.0   0:00.00 udevd
 1170 apache     18   0  282m  18m 5984 S  0.0  0.9   0:00.99 httpd
 1454 root         18   0  178m 1412  864 S  0.0  0.1   0:02.99 rsyslogd
 1470 root         18   0 18212 1044  756 S  0.0  0.0   0:11.85 dovecot
 1487 root         18   0 22084  960  732 S  0.0  0.0   0:00.00 xinetd
 1497 root         18   0  105m 1636 1340 S  0.0  0.1   0:00.00 mysqld_safe
 1592 mysql       15   0  930m  72m 6668 S  0.0  3.6   0:08.07 mysqld
 1621 dovecot    15   0 44604 3012 2312 S  0.0  0.1   0:00.00 imap-login
 1636 dovecot    15   0 16188 1268  944 S  0.0  0.1   0:04.46 anvil
 1637 root         18   0 16308 1384  948 S  0.0  0.1   0:04.15 log
 1639 root         15   0 20028 2944 1088 S  0.0  0.1   0:12.29 config
 1640 root         15   0 24260 3020 1344 S  0.0  0.1   0:07.55 auth
 1641 root         18   0 64236  888  304 S  0.0  0.0   0:00.00 saslauthd
 1642 root         18   0 64236  636   52 S  0.0  0.0   0:00.00 saslauthd
 1654 root         15   0 18828  688  488 S  0.0  0.0   0:00.23 da-popb4smtp
 1667 mail          18   0 58860 1348  700 S  0.0  0.1   0:00.00 exim
 1700 ftp           18   0  138m 1860  676 S  0.0  0.1   0:00.00 proftpd
 1707 root         15   0  114m 1240  648 S  0.0  0.1   0:00.03 crond
 1755 named      18   0  684m  23m 2896 S  0.0  1.1   0:00.13 named
 3105 apache      17   0  283m  19m 5972 S  0.0  0.9   0:00.92 httpd
 3366 apache     15   0  281m  18m 4592 S  0.0  0.9   0:00.61 httpd
 3426 root         15   0 23088 1728 1296 S  0.0  0.1   0:00.38 auth
 3579 dovecot    15   0 44604 3012 2312 S  0.0  0.1   0:00.00 imap-login
 3668 apache     15   0  281m  17m 4212 S  0.0  0.9   0:00.95 httpd
 3901 apache     15   0  280m  17m 4540 S  0.0  0.8   0:00.44 httpd
 3902 apache     15   0  287m  23m 5964 S  0.0  1.2   0:01.00 httpd
 3903 apache     18   0  281m  17m 4512 S  0.0  0.9   0:00.57 httpd
 5295 dovecot    15   0 44604 3008 2312 S  0.0  0.1   0:00.00 imap-login
 5623 root         15   0  179m  12m 6348 S  0.0  0.6   0:00.11 httpd
 9326 dovecot    15   0 44600 3008 2308 S  0.0  0.1   0:00.00 pop3-login
 9768 nobody    15   0 54476 1048  204 S  0.0  0.0   0:00.00 directadmin
 9784 nobody    15   0 54476 1048  204 S  0.0  0.0   0:00.00 directadmin
 9803 nobody    15   0 54476 1048  204 S  0.0  0.0   0:00.00 directadmin
 9814 nobody    15   0 54476 1048  204 S  0.0  0.0   0:00.00 directadmin
 9832 apache     15   0  282m  18m 4544 S  0.0  0.9   0:00.40 httpd
 9833 apache     15   0  282m  18m 4232 S  0.0  0.9   0:00.45 httpd
 9834 apache     15   0  278m  14m 3992 S  0.0  0.7   0:00.13 httpd
 9889 nobody    15   0 54476 1048  204 S  0.0  0.0   0:00.00 directadmin
10148 dovecot   15   0 44600 3008 2308 S  0.0  0.1   0:00.00 pop3-login
10194 dovecot   15   0 44600 3004 2308 S  0.0  0.1   0:00.00 pop3-login
10227 dovecot   15   0 44600 3008 2308 S  0.0  0.1   0:00.00 pop3-login
11299 dovecot   15   0 44600 3008 2308 S  0.0  0.1   0:00.00 pop3-login
 
1 little addition to the guide for some

i found that squirrelmail wouldnt work for me, took me a while but the reference here mentioned in /etc/httpd/conf/httpd.conf wasnt there.

It was moved to:

/etc/httpd/conf/extra/httpd-directories.conf

Make that look somewhat like this:

<Directory "/var/www/html">
Options -Indexes +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>

and it should work.

Dont know if it was mentioned before, but should be added to the guide :)

thanks and have a nice day :)
 
Following this:

Q: Installing/Updating HTTPd to 2.4.x? Then you need to update mod_ruid2 also, the work around is
A:

HTML: 
wget -O mod_ruid2-0.9.4.tar.bz2 "http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.4.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmod-ruid%2Ffiles%2Fmod_ruid2%2F&ts=1330166943&use_mirror=kent"
tar xjf mod_ruid2-0.9.4.tar.bz2
cd mod_ruid2-0.9.4
perl -pi -e 's/unixd_config/ap_unixd_config/' mod_ruid2.c
perl -pi -e 's/#include "mpm_common.h"/#include "mpm_common.h"\n#include "unixd.h"/' mod_ruid2.c
apxs -a -i -l cap -c mod_ruid2.c
Thanks to smtalk!


But, still my httpd version is 2.2.22 , Why ?
 
mod_ruid2 and writeable folders

Hi all,

Ive managed to get mod_ruid2 installed but im just trying to configure it so that my directories are writable by the ftp user for phpbb.

The code I have so far is

<Directory /var/www/vhosts/servername.co.uk/>
RMode config
RUidGid ftpusername psacln
RGroups psacln psacln
</Directory>

But this doesnt seem to work, does anyone have suggestions that may help?

Many Thanks,
 
Are you using DirectAdmin? It doesn't look as if you are, based on your path.

However you should still be able to use our instructions if you modify them for your paths, specifically the commands shown in the first post of this thread to change directory ownership and permissions. With DirectAdmin defaults following the instructions in this thread should work for you.

Where did you make those configuration changes? In what file? If in an apache configuration file, then the changes won't affect ftp access at all.

Jeff
 
I wouldn't recommend mod_ruid2.
My entire server was hacked because of it.

You can easily read config.php files which contain mysql databases to important software like whmcs and take control of the entire server or steal data if you know the exact path of a file and it doesn't have the appropriate permissions. Mod_ruid2 doesn't block the reading of the files by other users so it's probably useless.

I couldn't find information about how to set up mod_ruid2 in order to be secure. With or without mod_ruid2 my server has the same security, I can read the files from the entire /home/ directory if i know the paths with a php shell file from any account. Only open_basedir makes a difference.

Actually, and please don't mind if i make this exploit public, but if you use the IP/~account/shell.php style access, mod_ruid2 simply won't work at all.
You can access everything on your server outside /home without write permissions (/, /etc/...).

I'd recommend disabling the userdir access, solution here http://www.directadmin.com/forum/showthread.php?t=30820&page=1 or returning to suphp.
 
Last edited:
I guess by the two defaults, mod_ruid2 and suphp, suphp seems more secure. It's because with suphp
- /~user just doesn't work
- you can't look into other peoples dirs

Now with mod_ruid2, you can basically achieve the same thing, but it requires a tiny bit of extra steps.

To prevent people from looking into each others directories you need to enable SAG, just as you would do with the regular mod_php, as explained at this KB article: http://www.directadmin.com/features.php?id=961 (which is listed as #9 at the basic security page http://help.directadmin.com/item.php?id=247)

The other one you already mentioned, just disable the ip/~user.

I think thats covers the differences. If anyone else has some insights about this please share.

Maybe we can add the suggestion of disabling ip/~user on the main page as it's no luxury to know that mod_ruid2 won't be in effect. Also open_basedir doesn't work and people will experience conflicts in permission use.

It also doesn't hurt to mention the SAG, because as it seems people still miss it.
 
Last edited:
Yes, I managed to get it working without ip/~user but it would be a nice feature to have.
If there is some way to get the username from the alias regex and set it as open_basedir and the mod_ruid2 uid,guid it can be made to work. Anyone has done something close ?
 
Actually I recently saw it at the mpm-itk topic. See this post http://www.directadmin.com/forum/showthread.php?t=41965&p=212497#post212497 and the one below that. It's the same principle for mod_ruid2 or even suphp.

I'm not sure how exactly he implemented it and if it's just placing a few lines in existing files or if additional scripts are needed. But at the end I think something like that is the solution.

I've also considered a regex one time, but I'm not sure if it's possible and that it's really safe.
 
That seams to be good approach. What if user configure in custom httpd.conf via DA mod_ruid2 to run as different user? I think that it should be filtered out from the config.
 
Not working

I installed mod_ruid2 before(long time ago) and it worked right out of the box.

I got a new server last week and installed mod_ruid2 but i have a problem it doesn't run as the good user(uid=xx(apache) gid=xx(apache) groups=xx(apache),xxx(access)) instead of the user itself.

It is loaded in phpinfo!

Please help
 
Fixed it, just installed 0.9.3(same version as other server)!
easy-cloud said:
I installed mod_ruid2 before(long time ago) and it worked right out of the box.

I got a new server last week and installed mod_ruid2 but i have a problem it doesn't run as the good user(uid=xx(apache) gid=xx(apache) groups=xx(apache),xxx(access)) instead of the user itself.

It is loaded in phpinfo!

Please help
Click to expand...
 
This one:

Code: 
Now we need to modify the DA httpd.conf templates a little bit to enable mod_ruid2 for the users

Now copy the template files to custom
cd /usr/local/directadmin/data/templates/
cp virtual_host2* custom/
chown -R diradmin:diradmin custom/
Now you have copied the original templates to the 'custom' directory, so they won't be overwritten.
Code:
cd /usr/local/directadmin/data/templates/custom/
 
You must log in or register to reply here.
Back
Top