Is my mod_ruid2 correct installed?

Aar

Verified User
Joined
Feb 10, 2005
Messages
89
Location
Netherlands
I wonder if I mod_ruid2 properly installed?

When i execute a PHP-script in my browser (www.sitename.com/test.php) with the contents:
Code:
<?php
print exec('whoami'); 
?>
I see my username in the output. (and not Apache)

Is my mod_ruid2 now properly installed?
The errorlog of httpd says this as a notice, when i restart Apache:
Code:
[Sun Oct 02 17:09:58 2011] [notice] mod_ruid2/0.9.4 enabled
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Yes, it seems so, while you see your username not apache in the script output.
 

Aar

Verified User
Joined
Feb 10, 2005
Messages
89
Location
Netherlands
It's very strange:

mod_ruid2 is loaded (and it gives me my username), while i don't have editted the httpd.conf.

Is this normal?

Normally you must add:
Code:
# mod_ruid
RMode config
RUidGid apache apache
But i don't have this, and it's working?
 

Aar

Verified User
Joined
Feb 10, 2005
Messages
89
Location
Netherlands
Is it needed, to update my vhost templates???

It also works without update them? How is this possible?
Any idea?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Here is the link to HowTo on these forums http://www.directadmin.com/forum/showthread.php?t=37467

Here is the content of README file from mod_ruid2:

ABOUT
mod_ruid2 is a suexec module for apache 2.0, based on mod_ruid and mod_suid2

-it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
-it has better performance than mod_suid2 because it doesn`t need to kill httpd children
after one request. it makes use of kernel capabilites and after receiving a new request suids again.
-there are some security issues, for instance if attacker successfully exploits the httpd process,
he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
or something..

-there are two main operation modes: stat and config
1. stat
is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory
this is good if you use mod_vhost_alias for virtual hosting

2. config
like mod_suid2, you must define uid and gid

INSTALL
1. download and install latest libcap from here
2. run /apachedir/bin/apxs -a -i -l cap -c mod_ruid2.c
3. configure httpd.conf
4. restart apache

CONFIGURE OPTIONS:
RMode config|stat (default is stat)
RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid

RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid
RDefaultUidGid user|#uid group|#gid

RGroups group1 group2 - aditional groups set via setgroups

RDocumentChrRoot - Set chroot directory and the document root inside


EXAMPLE:

LoadModule ruid2_module modules/mod_ruid2.so
User apache
Group apache
RMode stat
RGroups apachetmp
RDocumentChRoot /home /example.com/public_html

NameVirtualHost 192.168.0.1
<VirtualHost example.com>
ServerAdmin webmaster@example.com
RDocumentChRoot /home /example.com/public_html
ServerName example.com
ServerAlias www.example.com
RMode config
RUidGid user1 group1
RGroups apachetmp

<Directory /home/example.com/public_html/dir>
RMode stat
</Directory>

<Directory /home/example.com/public_html/dir/test>
RMode config
RUidGid user2 group2
RGroups groups1
</Directory>

<Directory /home/example.com/public_html/dir/test/123>
RUidGid user3 group3
</Directory>

<Location /yustadir>
RMode config
RUidGid user4 user4
RGroups groups4
</Location>

</VirtualHost>

<VirtualHost example.net>
ServerAdmin webmaster@example.net
DocumentRoot /home/example.net/public_html
ServerName example.net
ServerAlias www.example.net
</VirtualHost>
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
So you might want to use as

1. stat
is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory
this is good if you use mod_vhost_alias for virtual hosting
But there might come issues with phpMyAdmin/webmails. Never checked it, so you might want to try and share your results with us.
 

Aar

Verified User
Joined
Feb 10, 2005
Messages
89
Location
Netherlands
Yes, with the stat-option it's possible to run all under the username, without edit the vhosts.
 
Top