[HOWTO] mod_ruid2

Would mod_ruid2 work with both PHP5.2 & PHP5.3 on the same DA installation?
has any1 tried this...?

A week ago or so, I've done PHP5.3+mod_ruid2 and PHP5.2+mod_suPHP (both versions on one server), and a plugin to switch the versions for one of customers of mine. If you want it, I can do it for you too.
 
And was you able to use for every user you want? Cause the trouble i get is to set in suphp.conf the user (one i suppose can be specified) that will use suphp instead or cli.

Regards
 
Yes, I've found a solution (sorry for some reasons I won't share it for free at least for now). Every user can switch the versions of PHP in Directadmin.
 
NP i really dont need it, cause i had to use 5.2 with just one user, but was curios to understand if you did found a solution or i had bad understood :)

Regards
 
I will share it for free:
Code:
cd /usr/local/directadmin/custombuild
wget -O suphp-0.7.1.tar.gz http://files.directadmin.com/services/custombuild/suphp-0.7.1.tar.gz
tar xzf suphp-0.7.1.tar.gz
cd suphp-0.7.1
wget -O ./src/Application.cpp http://www.custombuild.eu/Application.cpp
../configure/suphp/configure.suphp
make
make install

Restart apache now. CustomBuild 2.0 will probably have an ability to install mod_ruid2+PHP as CGI, but I cannot promiss it to you.
 
@Martynas, good of you.

Hmm,

Code:
# diff Application.cpp Application.cpp-orig
171a172,176
>     if (api.getRealProcessUser() !=
>         api.getUserInfo(config.getWebserverUser())) {
>         throw SecurityException("Calling user is not webserver user!",
>                                 __FILE__, __LINE__);
>     }

I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?
 
So this will let suphp work with mod_ruid2 without need to edit suphp.conf as you noticed on my server time ago?

Regards

Yes, it will. I'll probably modify the file more, but now it is as simple as possible and works well, of course :)
 
@Martynas, good of you.

Hmm,

Code:
# diff Application.cpp Application.cpp-orig
171a172,176
>     if (api.getRealProcessUser() !=
>         api.getUserInfo(config.getWebserverUser())) {
>         throw SecurityException("Calling user is not webserver user!",
>                                 __FILE__, __LINE__);
>     }

I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?

PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.
 
Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks
 
Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks

You can run them anytime. It's just a matter of suPHP reinstallation. When I have time, I'll probably modify suPHP script to make it more efficacious and not "reset" the owner of the process to the same one second time. However, it always did that, so it needs to be considered if we should modify suPHP source more, implement our own solution or just disallow users installing a second instance of PHP with mod_ruid2.
 
PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.

Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.
 
Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.

It does check if files are not owned by superuser. mod_ruid2 adds the first level of security. Also, suPHP_UserGroup is set in DA templates, so files cannot be owned by any other users.
 
However, that would provide users ability to call suPHP binary file. That might (or might not) be a security issue, and needs further analysis of suPHP code (or just hardening of suPHP binary).
 
Hello Guys!

Have problem with squirrelmail and temporary link
when I'm using

RUidGid webapps webapps

in /etc/httpd/conf/extra/httpd-vhosts.conf
everytning in /var/www/html working fine
but IP/~username gives forbidden

when using:

RMode config
RUidGid apache access
RGroups apache

temporary links works fine but Squirrelmail doesn't work with: cannot access default.prefs error

/var/www/html has chowned to: webapps webapps

can anyone give solution for both to work normally?
And please add solution to the first post
Thank you
 
With mod_ruid2, it seems to be impossible to use APC cache.
I read mod_ruid2 is like su-php, and APC cache does not work with APC cache.

Which cache do you use ?
I try eaccelerator on another server (without mod_ruid2) but I have to disable openbasedir, and I can't do this on this server.

So, can you tell me which PHP Cache you use.


To voland : to use IP/~username, you have to turn /home/username to 0711 instead of 0710
 
I'm beginning to think we may not need open_basedir when using mod_ruid2. Any comments from anyone?

Jeff
 
Back
Top