[HOWTO] mod_ruid2

janton

Verified User
Joined
Sep 17, 2009
Messages
145
I installed memcached today and also have mod_ruid2 installed a few days ago.

Do i need to run memcached with a different user now it seems to work. but i'm not sure if it's correct.

#nano /etc/sysconfig/memcached

PORT=xxx
USER="nobody"
MAXCONN=xxx
CACHESIZE=xxx
OPTIONS=xxx


Perhaps this is off-topic? But it's related to mod_ruid2 because this is the reason i'm not sure.
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
mod_ruid updates & original install

Is it possible to use custombuild to set up mod_ruid2 from DirectAdmin setup? Can a mod_ruid2 setup be updated by custombuild without deleting the custombuild stuff?

We want to make it part of our standard installs starting this weekend if possible. Any help sincerely appreciated.

Please excuse my alternate login; it's me, Jeff <smile>

Jeff
 

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Jeff: I guess this is 'easy' possible with custombuild.

My fast reply would be

Custombuild needs to do
yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c
Some check to see if the install is successfull.

And custom DA template
RMode config
RUidGid |USER| |GROUP|
RGroups apache
SuexecUserGroup should be commented.

If you update mod_ruid2, I don't think it will overwrite the configuration, since the configuration is located at the custom DA template, not the main httpd.conf or whatelse.

You don't need to make any changes at the default/main php.ini file, only httpd.conf for loading the mod_ruid2 module.

Kind Regards,
Dave
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
Jeff on mine installation script i use to install mod_ruid2 from my own repository, use the steps indicated.. and.. download my custom da template from my repo.. so.. on a new install is ok, on an existin one just you will need to rewrite httpd confs using command in post #1

Regards
 

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Jeff on mine installation script i use to install mod_ruid2 from my own repository, use the steps indicated.. and.. download my custom da template from my repo.. so.. on a new install is ok, on an existin one just you will need to rewrite httpd confs using command in post #1
Thanks for posting this :)

Indeed, and this makes it still easy to install/update mod_ruid2 with custombuild. When this is added you can remove suPHP in my opinion, since mod_ruid2 never used it again :p Or you could 'default' enable mod_ruid2 with new installs.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
Sure integrate mod_ruid2 with default installation should be very appreciated for many of us and very helpful for people that dont know what is and that is needed :)

Or, if not default, installable via custombuild as for suPHP and now for clamav...

Should be nice yes.

Regards
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
Hi all,

Two of my servers has been injected "PHP DoS, Coded by EXE" php codes few days before, I just search those files and deleted them.

Those files are injected into folders that's permission is 777 and owned by user apache.

May i know that implementing mod_ruid2 and reset those folders to owned by user and permission with 755 can solve such php injection problem?

Any performance impact compare with standard custombuild

Thanks you all and have a good day.
 

defomaz

Verified User
Joined
Jun 26, 2008
Messages
134
Hi all,
May i know that implementing mod_ruid2 and reset those folders to owned by user and permission with 755 can solve such php injection problem?
it's seem not,
because injection depend on your web script
 

defomaz

Verified User
Joined
Jun 26, 2008
Messages
134
you mean this php injection is not / may not caused by folder 777 and cracker use this 777 folder to put php script through apache?
as far as i know, php shell can enter to server is caused by web script that vulner and not just about file folder permission.

and with mod_ruid until now, i do not find any incident that user can change file/folder owned by them to apache
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks, all. I won't be getting around to doing the install until sometime next week; I'll come back with questions.

Jeff
 

gunemalli

Verified User
Joined
Jul 22, 2009
Messages
86
Location
Sheffield, UK
First of thanks very much for the howto. It works like a charm. I just installed it on my server and tested it and all my sites work ok.

The only issue is that i don't see anything show up htop/top other than the default usernames. but when i run the php file i get this output:

Code:
uid=503(gayan) gid=503(gayan) groups=48(apache)
which suggests everything is working correctly.


Oh and i think you need to modify your permission setting commands to do the same for private_html as well:

Code:
find /home/*/domains/*/p*_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/p*_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/p*_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/p*_html;}; done;
i use different folders to put https content so needed to run this as the given command only worked for public_html
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
Jeff: I guess this is 'easy' possible with custombuild.

My fast reply would be

Custombuild needs to do
Code:
yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c
Some check to see if the install is successfull.

And custom DA template
Code:
RMode config
RUidGid |USER| |GROUP|
RGroups apache
SuexecUserGroup should be commented.

If you update mod_ruid2, I don't think it will overwrite the configuration, since the configuration is located at the custom DA template, not the main httpd.conf or whatelse.

You don't need to make any changes at the default/main php.ini file, only httpd.conf for loading the mod_ruid2 module.

Kind Regards,
Dave
I'm more than a bit lost. I know I can do the first part (wget) before I run setup, but I have no idea where the second part (the template) is. Please help; I'd like to get this done today if possible.

Jeff
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
To clarify: If possible I'd like an exact cookbook for changes to make it just work in the original DirectAdmin install, as well as when updating through custombuild. The latter is important; I can't afford to break anything when updating through custombuild.

Thanks.

Jeff
 

gunemalli

Verified User
Joined
Jul 22, 2009
Messages
86
Location
Sheffield, UK
To clarify: If possible I'd like an exact cookbook for changes to make it just work in the original DirectAdmin install, as well as when updating through custombuild. The latter is important; I can't afford to break anything when updating through custombuild.

Thanks.

Jeff
I think i can help you with that. I had to reinstall my server today cos when i try to upgrade MySQL it crashed.

OK here's the process. Install DA, then install mod_ruid2 with the following commands:

Code:
yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c
then modify the 4 virtual_host2 files inside the templates folder to look like this:
virtual_vhost2.conf the changes are highlighted in red
Code:
|?DOCROOT=`HOME`/domains/`DOMAIN`/public_html|
|?OPEN_BASEDIR_PATH=`HOME`/:/tmp:/var/tmp:/usr/local/lib/php/|
<VirtualHost |IP|:80 |MULTI_IP|>
|CUSTOM|
|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/cgi-bin/|
	ServerName www.|DOMAIN|
	ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|
	ServerAdmin |ADMIN|
	DocumentRoot |DOCROOT|
	|CGI|

	|USECANONICALNAME|

[COLOR="Red"][B]	#SuexecUserGroup |USER| |GROUP|
	RMode config
	RUidGid |USER| |GROUP|
	RGroups apache 
[/B][/COLOR]	CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
	CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
	ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

	<Directory |DOCROOT|>
		Options +Includes -Indexes
|*if CLI="1"|
		php_admin_flag engine |PHP|
		<IfModule !mod_php6.c>
			php_admin_flag safe_mode |SAFE_MODE|
		</IfModule>
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
		php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
                suPHP_Engine |PHP|
		suPHP_UserGroup |USER| |GROUP|
|*endif|
	</Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>
and finally issue
Code:
chown -R diradmin:diradmin custom/
and you can start creating new users. That's it. Also the directory/file permission should be changed inside *_html folders. All files with 0644 and all folders with 0711 as suggested with the how to here.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks. For the moment I'll hope that nothing else need be done since it's a new server :). Now the question is only how do you update it with CustomBuildl without having to set it up over again?

Anyone?

Thanks.

Jeff
 

gunemalli

Verified User
Joined
Jul 22, 2009
Messages
86
Location
Sheffield, UK
Thanks. For the moment I'll hope that nothing else need be done since it's a new server :). Now the question is only how do you update it with CustomBuildl without having to set it up over again?

Anyone?

Thanks.

Jeff
Yes on a new server nothing more needs to be done. If you're doing this on an existing server we need to rewrite each user's httpd.conf and set the permissions for *_html folders. here's how to do it:

Code:
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/p*_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/p*_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/p*_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/p*_html;}; done;
on your 2nd query i can give u a hint on how to do it but i'm not a linux guru so i dnt know what are the implications.

1'st do a
Code:
grep 'mod_ruid2' /etc/httpd/conf/httpd.conf
If it's installed you'll get an output like this:
Code:
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
so on an update you can check to see if it's already existing, if so you can skip this step. At this stage i'm assuming that DA will have the updated vhost2.conf and httpd.conf by default.
if so then no additional work needs to be done even if apache is updated (I assume an apache update won't delete /usr/lib/apache/ folder and only overwrites the content)

Also you could just look for /usr/lib/apache/mod_ruid2.so file and if it exists then the plugin is installed. all you need to do is rewrite the httpd.conf files.

I think the best option is the 2nd one. even if the httpd conf didn't have the line you would know that the plugin is already installed. hmmmm this can be used as a verification method too and could be used to correct issues.
 
Last edited:

Arieh

Verified User
Joined
May 27, 2008
Messages
1,226
Location
The Netherlands
I've updated httpd many times since I use this ruid setup. It's not being effected by it. I guess only when new config files are being pushed trough, but I don't think that happens too often?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
I can confirm what Arieh sayd.

Ive installed mod_ruid2 long time ago and since there ive update apache about 3 times without no need to reinstall/update mod_ruid2.

Regards
 
Top