php-fpm and mod_ruid2

ju5t

Verified User
Joined
Sep 14, 2005
Messages
395
Location
Amsterdam
Lately I've been testing if it would be possible to run mod_ruid2 alongside php-fpm.

When I removed the check for fpm and ruid2 (I left the others intact) it had no problems building them both. I ran a few tests with php 5.6 and the latest version of 7. I also tested it with them both installed and switching between them through the web interface.

I wrote the patch that custombuild uses for mod_ruid2 so I know that if mod_security creates a file it will do it as the user that runs apache. I’ve tested it with both mod_ruid2 on and off and when it was off files were created as the apache user and when it was on it was creating them as the user who owns the apache process. That was expected since we know this functionality works but it made sense to test it.

At some point though it did seem as if an apache upgrade decided to rewrite the socket permissions of fpm to apache:apache. I’m not sure if it did. I couldn’t reproduce it anymore. After that fpm broke. I didn’t expect that to be honest as the group was still set to apache. Restarting fpm was sufficient to reset the permissions.

Is there any reason for mod_ruid2 to be disabled when running php-fpm? In the end it's not just php that we want to secure.
 

ju5t

Verified User
Joined
Sep 14, 2005
Messages
395
Location
Amsterdam
A quick update:

It's possible to run mod_ruid2 alongside php-fpm since CB 2.0 rev. 1632. The bug where php-socket permissions were changed after an apache rebuild is solved CB 2.0 rev. 1647. Thanks Martynas!
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
349
Location
Dutch Mountains
Thanks.
I like to install a 2nd PHP (7) on my server but didn't want to lose mod_ruid2 on the main PHP (5.6), so I held it off for some time already.
 

jonium

Verified User
Joined
Nov 10, 2010
Messages
134
Location
Alezio - Lecce- Apulia - South Italy
Insted I had a php 5.6.38 mod-php with mod_ruid2 and just have installed as 2nd release 7.2 php-fpm.
I seems all to be correct but in the Custom HTTPD Configurations I see all sites seems to be using the 7.2 version, that's not true
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,287
Location
Maastricht
So this is an old post, but I would like to know if these issues are fixed in the mean time.
For example that the wrong php version used is stated. I know http2 is not possible in that case, but that's not a problem to me.

Is it now possible to run mod_ruid2 on php 7.3 as first php and run other php versions with php-fpm at the same time?
Without problems?
 

Active8

Verified User
Joined
Jul 13, 2013
Messages
380
@Richard G somewhere i found a (old?) howto in my archive maybe it helps, I didn't check it for my self but maybe this can push you to the right direction

Code:
Verify the first few lines match or occur at least once throughout the file:

php1_release=7.3 (or desired php)
php1_mode=php-fpm
php2_release=5.6 (or desired php)
php2_mode=php-fpm

If not, please rerun the commands above.
Step 3: Recompiling PHP

Recompile PHP and rewrite the configurations:

./build php n
./build rewrite_confs
-----------------------------------------------------------------------------------------

I wanted to enable mod_ruid2 for only a few domains and did the following:

Build mod_ruid2.so:
# ./build set mod_ruid2 yes
# ./build mod_ruid2
# ./build set mod_ruid2 no
# ./build rewrite_confs

Add this to /etc/httpd/conf/extra/httpd-includes.conf:
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
# ./build rewrite_confs

Add this to the Custom HTTPD Configuration for the chosen domains:
Code:

    <IfModule mod_ruid2.c>
        <Directory |DOCROOT|>
            RMode config
            RUidGid |USER| |GROUP|
            RGroups apache access
            #RGroups @none
        </Directory>
    </IfModule>

In all other domains the php1 and php2 configs remained as in options.conf
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,287
Location
Maastricht
@Active8 Thank you for the howto. However, I would like to know if it's possible the "normal" way, by just having php 7.3 as first php with mod_ruid2 enabled and adding a second php (like php 7.4) with php-fpm without problems.
If that is not the case, we'll just wait to change everything to php-fpm when needed.
 
Top