[HOWTO] mod_ruid2

@Sellerone:
Sellerone said:
I do have DA 1.43.0 and im using CB 2.0, the default template those have this:

This is what i said:
Richard G said:
Yes it will. For CB 1.1 and 1.2 the template edit is needed until DA 1.43.1 is released.
CB 2.0 is not mentioned here.:)

Next to that you said:
If you just want to add mod_ruid2 so you will need to follow the how to, just the edit on template will not be needed.
As a reaction to Uberguru stating he was using CB 1.1, which gives the impression that he only has to follow the guide without template edits needed (on CB 1.1).
So that is why I issued my warning that this was incorrect.

Ofcourse, for CB 2.0 that is not needed. That's correct, but it was not clear that Uburguru would choose CB 2.0 at this point.
 
Yes but templates are not depended by Custombuild, the template are ready for mod_ruid2, the fact that CB 1.x dont have mod_ruid2 is not related ;)

I know you didnt menthion CB 2.0, but template are DA related, CB dont change the templates at all, so, if you have latest DA you should had those related "if" for mod_ruid2, the check should be done with apache modules and not on CB2.0 options file, that's why im pretty sure would be enough not to edit templates, but, a check would be pretty easy to do.

Code:
cat /usr/local/directadmin/data/templates/virtual_host2.conf | grep ruid2

Regards
 
I know you didnt menthion CB 2.0, but template are DA related, CB dont change the templates at all,
CB doesn't change the templates, but there is a difference in how the templates are used in CB 1.1/1.2 and CB 2.0 with the adjustments for CB 2.0 which created a problem.
That is why in DA 1.43 with CB 1.2 suddenly things went wrong with mod_ruid, because the new line was added (the "if" statement for options.conf). I personally made the DA staff aware of this problem.
http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715
http://www.directadmin.com/features.php?id=1438

In fact you are correct that no template edits are needed on CB 1.1 or 1.2, but only if you use the pre-release binaries of DA 1.43.1.
 
Last edited:
Ah, thanks for clarification, in fact you was right :) The 3rd suggestion would be enough for use ruid2 with those templates so and not all the part from the tutorial :)

Regards
 
I strongly doubg on what you say Richard.

I do have DA 1.43.0 and im using CB 2.0, the default template those have this:

Code:
        |*if HAVE_RUID2="1"|
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid |USER| |GROUP|
                RGroups apache |SECURE_ACCESS_GROUP|
        </IfModule>

mod_ruid2 in CB2.0 is already stable and im using it since about 2 months now.

uberguru, you cant edit a single virtual_host of a user, this will change every user.

Is not an update, is a change of how the things are working on you server, is an apache module.

I dont see how your data should be lost, the most bad thing that should happen is that you dont install/set it correctly and apache will not startup, but reading logs and debugging a bit will let it work back in a few if you know what to do.

Regards

Just though of something....is there a way i can actually manually edit a user to apply the changes mod_ruid2 will do? So that way that affects that user only?

also i checked the httpd.conf of the user i saw this under the virtual host tag

<IfModule !mod_ruid2.c>
SuexecUserGroup wuser wuser
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid wuser wuser
RGroups apache access
</IfModule>


does that mean its using mod_ruid2 already?
 
@Sellerone: You're welcome.:) I used solution 2 at first, and after that, changed to original and used the pre-release binaries.

@Uberguru: If you have it like this, this means you have an older version of DA because the new line is not in there yet.
So if you use that DA version and don't upgrade it until 1.43.1 is released, you don't need to do the template edits. The module in the virtual host container says that it will use mod_ruid2 if present.
So as far as I can see, if you only implement mod_ruid2 in this situation you would be fine. But maybe Sellerone can confirm this also or correct me if needed.
 
Users httpd.conf are rewritten by DirectAdmin.

The lined you posted make me think that if mod_ruid2 module is loaded in Apache than your users does use it.

For check you should see with:

Code:
ps aux | grep httpd

If some apache are started for some users and other from other users, than your mod_ruid2 is working fine.

Regards
 
Users httpd.conf are rewritten by DirectAdmin.
Only when a new user is created, not for implementing mod_ruid2, or am I mistaken?

Because the "if mod_ruid2" statement is already in the users httpd.conf so it does not need to be rewritten bij Directadmin.
Only the main httpd.conf will have a line added to load the mod_ruid2 module.

Or did you mean something else?
 
Yes when users are created, but he was talking to enable ruid2 just for some users, that would be about impossible (or just little hard with some scripting) cause once a new user is added all httpd.conf will be rewritten, so, single custom edits will be lost.

Ofc if statement (i suppose is like that) are already on users httpd.conf than just the install and the module load line in main httpd.conf will be needed.

Actually, the httpd.conf rewrite for all users will not take that much time and resources alos ;)

Regards
 
Users httpd.conf are rewritten by DirectAdmin.

The lined you posted make me think that if mod_ruid2 module is loaded in Apache than your users does use it.

For check you should see with:

Code:
ps aux | grep httpd


[root@server ~]# ps aux | grep httpd
apache 12601 2.1 0.5 427108 95200 ? S 19:57 0:27 /usr/sbin/httpd -k start -DSSL
apache 12739 2.1 0.5 422556 90620 ? S 19:58 0:25 /usr/sbin/httpd -k start -DSSL
apache 12850 2.8 0.5 414328 82424 ? S 20:01 0:30 /usr/sbin/httpd -k start -DSSL
apache 12938 2.1 0.4 400324 68292 ? S 20:01 0:21 /usr/sbin/httpd -k start -DSSL
apache 12964 3.3 0.7 453840 121620 ? S 20:02 0:32 /usr/sbin/httpd -k start -DSSL
apache 13043 2.0 0.5 418368 86404 ? S 20:04 0:17 /usr/sbin/httpd -k start -DSSL
apache 13484 0.9 0.4 404628 70268 ? S 20:11 0:03 /usr/sbin/httpd -k start -DSSL
apache 13697 7.6 0.5 397916 88136 ? R 20:15 0:11 /usr/sbin/httpd -k start -DSSL
apache 13698 16.7 0.4 375108 66244 ? S 20:15 0:25 /usr/sbin/httpd -k start -DSSL
apache 13699 4.3 0.4 374168 65560 ? S 20:15 0:06 /usr/sbin/httpd -k start -DSSL
root 13781 0.0 0.0 103304 872 pts/0 S+ 20:18 0:00 grep httpd
root 29436 0.0 0.0 191540 13048 ? Ss 00:11 0:06 /usr/sbin/httpd -k start -DSSL




If some apache are started for some users and other from other users, than your mod_ruid2 is working fine.

Regards

Well how will it be working fine when i am having the permission problem?
 
What do you mean for permission problem?

For what you posted, mod_ruid2 is not working, cause apache is started by user apache and that's not way that ruid2 work.

Regards
 
CB doesn't change the templates, but there is a difference in how the templates are used in CB 1.1/1.2 and CB 2.0 with the adjustments for CB 2.0 which created a problem.
That is why in DA 1.43 with CB 1.2 suddenly things went wrong with mod_ruid, because the new line was added (the "if" statement for options.conf). I personally made the DA staff aware of this problem.
http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715
http://www.directadmin.com/features.php?id=1438

In fact you are correct that no template edits are needed on CB 1.1 or 1.2, but only if you use the pre-release binaries of DA 1.43.1.

Well i am confused here i am using CB 1.1 and i just installed mod_ruid2 following the guide...now do i change the the template or i should skip that step? Also what do i do next if i should skip the change template part?

thanks
 
What do you mean for permission problem?

For what you posted, mod_ruid2 is not working, cause apache is started by user apache and that's not way that ruid2 work.

Regards

Ok..i just installed mod_ruid2 ...so what do i do next? Remember i have CB 1.1
 
You did post one of your user's httpd.conf file and apparently is correct, so, if now mod_ruid2 is loaded as module in main httpd.conf file (/etc/httpd/conf/httpd.conf) you should now see with the command i gave (ps aux | grep httpd) if there are apache process running other users and not under apache user.

Regards
 
For what you posted, mod_ruid2 is not working, cause apache is started by user apache and that's not way that ruid2 work.
Maybe you're confused with suphp? Because with mod_ruid2 this depends on the amounts of visitors being present. At the moment at my servers it also only has apache.
If the server is busy, you will have a combination of users and apache. Mod_ruid2 also starts apache as apache and switches to the user when necessary.

Uberguru said:
Ok..i just installed mod_ruid2 ...so what do i do next? Remember i have CB 1.1
If you followed the guide you should be ready for use. I presume you ran the permissions mentiones in the section "Converting an existing environment"?

If you really want to test if mod_ruid2 is working, you can test it with a php script as described in the howto:
Create a php script for example ruid.php and put it in the public_html with this content:
Code:
<?php
mkdir('ruidtest');
file_put_contents('ruidtest/test.txt', 'Hello!'); 
?>
Run the script by accessing it through the browser (http://www.yoursite.com/ruid.php) and see if the directory ruidtest and the test.txt file are being made. The owner of the dir/file should be the DA user.
That's the best way of testing it.
 
Last edited:
Actually i didnt know there was a limit for user present before switch to users owner of the process.

My server got lots of visits and i did always had users different from apache (also with apache, but many less than others).

Regards
 
Actually i didnt know there was a limit for user present before switch to users owner of the process.
I don't think it has to do with a limit of users present, but with what the visiting users do. I explained that wrongly, sorry.
My intention was to say that this could be when little users visit, it does not depend on it imho.

If I'm correct (I'm not sure), if just plain html sites are visited, nothing will change because I don't think that plain html files need to be run as a user because they don't really do write processes. I can be mistaken about this though. Maybe it only switches if really needed.
If the user visits a php site, then a lot more is possible, then apache will change to the account name. I think it works something like that, but as said, I'm not sure. I'm only sure of the fact that having apache processes, even only apache processes when it's not that much, is fairly possible with mod_ruid2 installed.

It's a bit explained in these lines:
What mod_ruid2 does is lets the actual apache process run as the User as needed.
and
It runs php as the User (like suPhp and php-fpm) for the extra level of User segregation.
Which is from this thread:
http://forum.directadmin.com/showthread.php?t=45210&p=231300#post231300

I also have users different from apache, but if there are no (or only html) visitors (on our smaller server) we mostly get apache processes.
And on the more busyer servers we have combinations of different users and sometimes also apache.
 
Last edited:
Ah I missed something I see:
(also with apache, but many less than others).
That's quite correct. But you have a bigger company and lots of users, probably mostly using php, so then you will have lots of accountnames and only a few with apache.
 
Hi,

Is anyone using RGroups statemnt?
I've put in "main configuration" list of additional groups which I need and I'd like to clear these list for some virtual hosts.
I've put:

RMode stat
RGroups @none

in virtual server config file. UID and GID is set correctly but group list is not empty (the same as in main configuration file).....

Best regards

Piotr
 
Back
Top