[HOWTO] mod_ruid2

janton

Verified User
Joined
Sep 17, 2009
Messages
145
Perhaps I should open a new topic for this, but I was wondering the following today:
I have mod ruid2 running for a long time and i'm happy with it, but most sites run under the same reseller. That way mod_ruid2 is not really secure? (yes my fault) *most important sites have there own user.
Is there a easy way to create a users/reseller for every website?
Is this a normal way (or should this be done different)?
What is the disadvantage of having so many users? (i run 20 websites for different friend and family compagnies)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,280
Location
Maastricht
Well... that's more of a hosting question.
Best thing is indeed to make several user accounts, for each friend or family company a seperate one. That is indeed a normal way to work with DirectAdmin.
You can also run them under the same reseller, as long as under that reseller account separate useraccounts are made, then you still benefit from mod_ruid2. However I wouldn't put all domains under 1 reseller using only that reseller's account (no separate users).

It only has benefits using seperate reseller-/useraccounts. They al have their own domain names and email addresses, you have the mod_ruid benefit. You can also give the friends and/or family their own login.
There is no disadvantage of having so many users. 20 is not much. We easily put 60-70 users on a dedicated server with shared hosting.
Little bit off-topic here, but I guess you can use this answer.:)
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
How can I implement this on FreeBSD?
After I e-mailed DA support with this question and they tried it, but it came back with an error message that it only works on Linux when they tried.

After a little research as to why this is, I found this stated in the readme for mod_ruid2.
"mod_ruid2 runs only on linux because afaik only linux has implemented posix 1003.1e capabilities"

After that I left this message for the developers of mod_ruid2:
When will you have FreeBSD support?

The readme states: "mod_ruid2 runs only on linux because afaik only linux has implemented posix 1003.1e capabilities"

Posix 1003.1e is a withdrawn standard from 1997, which wanted to define the Posix API of access control lists. Many ?NIX-like OSes implemented ACLs using this abandoned standard as a basis. Linux, BSD, and Solaris, support POSIX.1e ACLs, based on this early POSIX draft. Many of them, for example AIX, FreeBSD, Mac OS X, beginning with version 10.4 ("Tiger"), and Solaris with ZFS filesystem, support NFSv4 ACLs, which extends Posix 1003.1e, and is part of the NFSv4 standard. If anything Linux lags in this area. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and recent Richacls, which brings NFSv4 ACLs support for Ext4 filesystem. With NFSv4 you would have a real standard to work to, instead of an abandoned draft, and NFSv4 is where Linux is headed. Then, if there are problems, they are not your problem, it's them not adhering to the standard, which translates into a bug they need to fix.

For FreeBSD, Posix 1003.1e is documented in the man pages, FreeBSD Handbook posix1e(3), acl(3), and the various references to the SEE ALSO sections. So Posix 1003.1e DOES exist in FreeBSD and other ?NIX operating systems. While you may find slight differences from the Linux implementation, I assume, this is nothing that could not be ironed out with a 100 lines of glue code. In fact, you might want to change it to be compatible with NFSv4 ACLs, where the rest are and Linux is headed, and make the glue for where Linux currently is for backward compatibility.
I have not seen a response to my message to the ruid_mod2 developers.
 
Last edited:

Remco00

Verified User
Joined
Feb 22, 2006
Messages
232
So what is the easiest way to update mod_ruid2 to the latest version without CB2.0?
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
I have not seen a response to my message to the ruid_mod2 developers.
I just posted a followup to my earlier message to the mod_ruid2 developers:
It's odd there has been no action on this when the readme makes the false supposition: "mod_ruid2 runs only on linux because afaik only linux has implemented posix 1003.1e capabilities"

Solaris, AIX, FreeBSD, Mac OS X are more compliant with posix 1003 than Linux. Moreover, these other operating systems also support NFSv4, which extended posix 1003, thus posix 1003 has been withdrawn from being a standard. The driving force behind the ACLs has been Solaris. Linux has been dead last to keep up up in the NFS area. My concern is that the main problem with mod_ruid2 not working with operating systems other than Linux may be rooted in the false supposition that "only Linux has implemented posix 1003.1e capabilities".
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
I made another post yesterday about FreeBSD and this time I received this reply.
Updated the README https://github.com/mind04/mod-ruid2. We need Linux capabilities for mod_ruid2 http://linux.die.net/man/7/capabilities And those are not implemented in FreeBSD. Closed for now, but i'm happy to reopen the issue if there are new insights...
Based on the previous incorrect comment in the readme about posix 1003.1e compliance being a Linux thing, I get the impression that the author doesn't have much expertise outside of the Linux area, but he seems open to suggestions that would make it portable if someone would work with him to do so. He very likely developed it for his own use, thus there is no strong motivation for him to make it portable without some help. The best solution would be to have this commonly desired functionality be part of the Apache core distribution.
 
Last edited:

BestBoard

Verified User
Joined
Sep 8, 2006
Messages
195
you have prefork mpm.

i'll try to compile apache again with mpm-prefork and see what happen..

EDIT:

it's working now.
so i was right, mod_ruid2 isn't compatible with multi-threaded mpms like event and worker.
is anyone know if mod_ruid2 is compatible with multi-threaded mpms?
maybe something is changed since my last check..
 

czerep

New member
Joined
Dec 28, 2012
Messages
3
After installing mod_ruid2, httpd gone mad. Fuel processor reaches 100% and the process "httpd" comes very quickly. Please help because in the logs can not find anything, and Google did not much said.
 

beinbliss

Verified User
Joined
Aug 25, 2013
Messages
7
After installing mod_ruid2
sites start throwing errors of open_basedir

Does mod_ruid2 changes paths?

WARNING: include() [function.include [2]]: open_basedir restriction in
effect. File(application/errors/error_php.php) is not within the
allowed path(s): (/home/xxxxxx/:/tmp:/var/tmp:/usr/local/lib/php/) in
/HOME/xxxxxx/DOMAINS/xxxxxx/PUBLIC_HTML/SYSTEM/CORE/EXCEPTIONS.PHP
 

crspyjohn

Verified User
Joined
May 5, 2006
Messages
46
Found this on the cpanel site, Under heavy load, an AcceptMutex can be held by another UID. This causes ModSecurity to fail and exit, which then causes Apache to crash. We are aware of this issue and are working on a solution. In the meantime, do not use ModSecurity with mod_ruid2.
 

TonyF

Verified User
Joined
Aug 5, 2014
Messages
29
So, a question to you guys... mod_ruid2 installed fine and works great for new users, but my existing users keep on running as apache... i've checked this through PHP, they keep running as user 498 which is apache, and not as their own user. When i make a new user on this server, it does run as its own user.

How can i make the existing sites run as user? Force them... how? Where is this being set, because a restart of the server doesn't help and i've changed all files and dirs owners through the manual...

Can anyone help?
 

TonyF

Verified User
Joined
Aug 5, 2014
Messages
29
Wow found it myself...

On existing sites, you have to check and add stuff to /usr/local/directadmin/data/users/USER/httpd.conf

First make a new user and check his httpd.conf in that folder with your existing ones, you see where to add something like this:

<IfModule mod_ruid2.c>
RMode config
RUidGid *username* *username*
#RGroups apache access
RGroups @none
</IfModule>
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Actually, if you use custombuild to install mod_ruid2, it should rewrite all confs using the internal templates that should be updated to use mod_ruid2, that depend if you're using latest DA version or not.

If the confs wasnt rewriten, you should try use: /usr/local/directadin/custombuild/build rewrite_confs

Regards
 
Top