Hello everyone,

Since there are alot of people asking for it, here is my HowTo about mod_ruid2
This is based on my CentOS server with Apache 2.x.

Installing this module its no longer needed to chmod config files to 666 or upload/attachments directories to 777. Since with this module enabled everything @ HTTP will run under the user itself and not 'apache' anymore.

** If you are using mod_ruid instead of mod_ruid2, first of all remove the mod_ruid line from '/etc/httpd/conf/httpd.conf'

First, we are going to install libcap-devel
yum -y install libcap-develAfter this is done we are going to download and install mod_ruid2
wget http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.6.tar.bz2?r=&ts=1335638772&use_mirror=kent
tar xjf mod_ruid2-0.9.6.tar.bz2
cd mod_ruid2-0.9.6
apxs -a -i -l cap -c mod_ruid2.cNow, if you didn't get any errors mod_ruid2 should be installed and added to the '/etc/httpd/conf/httpd.conf'.
Lets confirm mod_ruid2 is added
grep 'mod_ruid2' /etc/httpd/conf/httpd.confIf you get any response like below its installed
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so

Now we need to modify the DA httpd.conf templates a little bit to enable mod_ruid2 for the users

Now copy the template files to custom
cd /usr/local/directadmin/data/templates/
cp virtual_host2* custom/
chown -R diradmin:diradmin custom/Now you have copied the original templates to the 'custom' directory, so they won't be overwritten.

cd /usr/local/directadmin/data/templates/custom/

Now follow the steps below for each virtual_host2 file you've copied
nano -w virtual_host2.conf
## replace line: SuexecUserGroup |USER| |GROUP|
## replace with: #SuexecUserGroup |USER| |GROUP|
## Add the lines below under the just replaced line
RMode config
RUidGid |USER| |GROUP|
RGroups apacheSave the files and lets rewrite the HTTPd config files
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queueIf you want you can start the rewrite of the HTTPd config files manually, just paste the line below and wait when its done
/usr/local/directadmin/dataskq d800After the rewrite is complete you can restart HTTPd with the command below
/etc/init.d/httpd restartNow mod_ruid2 should be installed and you don't need to chmod anymore like 'chmod 666 config.php' or 'chmod 777 uploads'.

To be sure the webmail clients etc still works we need to change the owner permissions
chown -R webapps:webapps /var/www/html

Edit by NoBaloney; see posts 324 and 325, page 17 of this thread:
And last you need to modify httpd-directories.conf

nano -w /etc/httpd/conf/extra/httpd-directories.conf
Add the RUidGid line below between the <Directory "/var/www/html"> and </Directory>

<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>
* Thanks to Arieh for this change.
End edit by NoBaloney

** Questions with Answers **
-------------------------------------------------------
Q: How can I test this is working?
A: Easy, install some CMS that you are used before. Like Wordpress, Joomla that required (before!!) chmod 666 or 777 to get install/working.

Q: I've dirs/files owned by apache for some users, must I change this?
A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore. Check below
Thanks for snk for the commands below, to fix the owner permissions of the dirs/files
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;* Added '&&' so if they do a typo, it won't change anything.

Q: Installing/Updating HTTPd to 2.4.x? Then you need to update mod_ruid2 also, the work around is
A:

wget -O mod_ruid2-0.9.4.tar.bz2 "http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.4.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmod-ruid%2Ffiles%2Fmod_ruid2%2F&ts=1330166943&use_mirror=kent"
tar xjf mod_ruid2-0.9.4.tar.bz2
cd mod_ruid2-0.9.4
perl -pi -e 's/unixd_config/ap_unixd_config/' mod_ruid2.c
perl -pi -e 's/#include "mpm_common.h"/#include "mpm_common.h"\n#include "unixd.h"/' mod_ruid2.c
apxs -a -i -l cap -c mod_ruid2.cThanks to smtalk!


You are missing a question, or you have a question, please let me know and I'll try to answer them for you! :D

Hi.
Thanks for How-to.

For those who use Debian:

aptitude install libcap2-dev



Q: I've dirs/files owned by apache for some users, must I change this?
A: Yes, you need to give the dirs/files owner of the user itself, not apache anymore.


if you allow i will add to your how-to this part:


cd /usr/local/directadmin/scripts ; ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
cd /usr/local/directadmin/data/users
for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;

It will reset owner of directory/files to users.

Thanks snk for adding this, i've added it also to my post with thanks to you!
If someone has any questions, just ask here please!

Would someone please explain why one would use mod_ruid2 instead of suPHP?

Thanks.

Jeff

Would someone please explain why one would use mod_ruid2 instead of suPHP?What I know about it is that people can set self PHP settings etc to overrule it. With mod_ruid that is not possible.

Can you explain in more detail what people can override with suPHP that they cannot override using mod_ruid, and how?

Jeff

As I understand it, the main reason to go for ruid is speed. An other benefit may be that the whole vhost is running under its own user, instead of only php (I think).

It uses posix 1003.1e capabilities, so it can switch uids of child processes. This way, it doesn't need to create and kill new child processes the whole time, which is the case with suphp (and mod_suid).

What mod_ruid (and mod_suid) say in their READMEs is the following security issue:


there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec), or something..

A howto and additional information on rsbac would be very appreciated! :)

Does anyone know if mod_ruid2 is compatible with FreeBSD 7.X?

On the older mod_ruid site the author states:


-it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities

FreeBSD is "POSIX-compliant" so I would presume only minor issues might crop up. Any ideas?

Does anyone know if mod_ruid2 is compatible with FreeBSD 7.X?You could try it on a test server with FreeBSD 7.x ?
We dont have any BSD systems so I can't test it for you.

That's exactly what I need to do :). I have been anxiously looking for a solution like this that doesn't utilize a lot of resources. I'll keep my fingers crossed and post back with my results.

Thanks much daveyw for the detailed how-to, it is greatly appreciated.

Would someone please explain why one would use mod_ruid2 instead of suPHP?

Thanks.

Jeff

The big advantage over suphp when using mod_ruid is that you can still use any accelerator like memcache, php accelerator etc etc.

And one can just use 1 php.ini for all sites.

And one can just use 1 php.ini for all sites.
Is that an advantage? Or a disadvantage?

Jeff

I 've found that mod_ruid isn't compatible with php4 installed as CGI (and php installed as mod_php)

Anybody who have the same problem?

Could somebody let me know why i have still some processes owned by apache?

apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11949 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 11954 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 11960 5877 0 12:11 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13394 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13404 5877 2 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13414 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13415 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13416 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 13417 5877 0 12:12 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

rest of the processes are under the user.

Could somebody let me know why i have still some processes owned by apache?

apache 11568 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 11782 5877 1 12:10 ? 00:00:01 /usr/sbin/httpd -k start -DSSL

rest of the processes are under the user.That's because not everything running at the server is from the users. You got also http://hostname/webmail etc

In my experience it is also how it works, there is a certain number of childs, and when there comes a request from a website a childs user gets swapped with that websites request. A second later when the request is finished, it swaps back to apache waiting for another request.

So if you monitor processes with a few seconds interval you don't see all users showing up though there are requests. But if theres a high load from one or more childs, it probably means that a users website is causing it, so the request takes long - and you do see the user causing it - so you know where to look.

But as you can see below there is a process under root user:

root 15367 1 0 12:14 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 7813 15367 1 12:31 ? 00:00:01 /usr/sbin/httpd -k start -DSSL
apache 9251 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9281 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9290 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9291 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9302 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9309 15367 1 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9311 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9321 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9331 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL
apache 9332 15367 0 12:32 ? 00:00:00 /usr/sbin/httpd -k start -DSSL

and this process is a parent process and other are child processes of the pid 15367.

Yes, apache runs as root, and it creates childs with the user apache (and with the case of ruid, that user gets swapped).

I read also about some security issue, unfortunetly i am using Openvz and openvz kernel is not working with grsecurity as well.

Do you know some ways of protection?

Afraid I do not. My kernel was patched with grsecurity, before I used ruid I later found out. I'm not sure if a "standard patch" is enough though. Maybe someone else knows.

Are you using somehow in mod_ruid2:

RDocumentChrRoot - Set chroot directory and the document root inside

I haven't but maybe we should. As I understand it, its just an replacement for a regular DocumentRoot. It would mean that DocumentRoot should be replaced with RDocumentChRoot in the templates.

As it is yet another extra chroot, you could run into problems so before rolling it out for all domains you could test it first on one or a few domains. I'm gonna see what happens.

edit: tried a bit, and I don't get it working. You need 2 parameters:

RDocumentChRoot /home/user /domains/domain.tld/public_html

(so I just made a space between user /domains)

And I get
CRITICAL ERROR ruid_setup:cap_set_proc failed
domain.tld GET / HTTP/1.1 chroot to /home/user failed

So I'll leave this for now.

daveyw, maybe worth to add in HowTo few more changes.
If customers use perl or cgi scripts need to change permissions to these files:


find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;

snk, just added the items to my HowTo. Thanks :)

snk, just added the items to my HowTo. Thanks :)
Version 0.9.1 of mod_ruid2 is released a few days ago.

http://sourceforge.net/projects/mod-ruid/files/latest/

This version drops the CAP_DAC_READ_SEARCH privilege if possible (no stat mode)

Ps. mind @ da forum == mind04 @ sourceforge ;)

mind, thank you for update.

Updated also my first post, with the new version.

thanks but suPHP better :)

Wael

thanks but suPHP better :)Everyone his own thing, we like mod_ruid(2) more :)

We have no problems with mod_ruid2 since we are using it, and our servers are more safe now :)

But everyone is free to take his own decision

thanks but suPHP better :)
Do you have a reason? Or is this just your opinion?

Jeff

opinion, but mod_ruid faster.

Wael

opinion, but mod_ruid faster.
On a server with insufficient resources this makes sense, since running PHP as a cgi definitely uses more resources.

I'm curious if anyone has tested mod_ruid on older servers or smaller VPS servers, where PHP as cgi often has problems.

Jeff

Somebody knows why these errors appearing?

[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_setup:cap_set_proc failed
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_uiiii:cap_set_proc failed before setuid
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_setup:cap_set_proc failed
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_uiiii:cap_set_proc failed before setuid
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_setup:cap_set_proc failed
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_uiiii:cap_set_proc failed before setuid
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_setup:cap_set_proc failed
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_uiiii:cap_set_proc failed before setuid
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_setup:cap_set_proc failed
[Thu Nov 11 14:19:36 2010] [error] mod_ruid2 CRITICAL ERROR ruid_uiiii:cap_set_proc failed before setuid

On a server with insufficient resources this makes sense, since running PHP as a cgi definitely uses more resources.

I'm curious if anyone has tested mod_ruid on older servers or smaller VPS servers, where PHP as cgi often has problems.

Jeff

tested in old server p4 and vps cpu 1gz work better then before lol :)
mod_ruid2 better then suphp

Wael

thanks... alot bro..!

I use now Apache ITK (http://mpm-itk.sesse.net/)

Which is better mod_ruid2 or mpm-ITK?

for some admins ruid2 is better than other solution.
some time ago i did my own tests. by my tests ruid2 faster.

iprodua, if you want you can contact me (i can speak russian ;).

for some admins ruid2 is better than other solution.
Some time ago i did my own tests. By my tests ruid2 faster.

Iprodua, if you want you can contact me (i can speak russian ;).

thnx...)))

Sounds like a very nice option, but reading a little bit it looks like it could be insecure to run a default centos kernel with this? What are the real risks involved?

Cheers!

Hello, I am very interested in using this mod. For safety reasons basically and for speed if that's a side effect.

But I'm a bit scared to use it. Would it be recommened in a shared server scenerio with 90 users and 300 sites for example?

Sounds like a very nice option, but reading a little bit it looks like it could be insecure to run a default centos kernel with this? What are the real risks involved?
What have you seen that makes you think it could be insecure to use it with a default CentOS kernel? What have you read?

Jeff

Got it from the readme once you download the mod:

-there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
or something..

That's kinda scary, but it might be becuase I?m no expert and maybe this is normal or expected.

Hi guys,

I just heard of mod_ruid2 and I find it very interesting but there isn't much information about it out there.

So do you know if mod_ruid2 is compatible with mod_php and with mod_vhost_alias?

Also hav you ever played with RDocumentChrRoot?

Thanx!

EDIT: my problem is not related to ruid but to mod_security, bad posting.

Regards

Hi,

I try to install mod_ruid2, but stop. Sites are unavailables, I've message : Forbidden when I want to access to them.

I stop just after :

/etc/init.d/httpd restart

So I do not modify permissions on files.
I prefer to stop, because after changing permissions, it's difficult to come back with previous permissions.

I've an error when I run /usr/local/directadmin/dataskq d800 :

MimeTypes::readFile(): Unable to open /usr/local/directadmin/data/users/admin/domains/5go.fr.handlers for reading
for each domains

I think about another problem :
I have some files in cgi folder with permissions 755, but these files are not .cgi or .pl. (they have no extension).
So how to modify script, to not touch files with 755 permissions ?
This script :

cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;

Thanks for your help

I just installed mod_ruid2 on a new vps and i am trying to install joomla and i a getting the following error :

configuration.php not Writable

massive contact me on msn i can check it for you.

regards

Thanks Andrea.
Problem solved. Wrong permissions in the parent folder.

Does anybode has experience with mod_ruid2 and mpm_worker_module
working together?

just report
i've used mod_ruid + eaccelerrator then get trouble about user quota
user usage status on directadmin/repquota 4x bigger and not same with current user usage on his own directory /home/user/

after investigate, finnaly i found that eaccelerator cache file is also owned by user not root
so when Directadmin counting quota, eaccelerator cache also counted.

i still search solution, how to force eacellerator cache as root

thanks

I think there is nothing wrong, this is user's files so it will be counted.
ea cache will be owner by root if you will run php from root, but this is wrong way.

Try to store ea cache to partition that not have quote

Does anybody know how to upgrade mod_ruid2 from 0.9.1 to 0.9.3?

look at first message


wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c

and restart httpd

how can i determinate which version is installed on my server?

how can i determinate which version is installed on my server?Version information is written to your httpd error log on startup.

thanks a lot :)

look at first message

and restart httpd

Thanks, just upgraded.

Hallow, have you know or use cloudlinux(www.cloudlinux.com )?
now cloudlinux support mod_ruid2, it's seem i'm the first who use cloudlinux with mod_ruid2
after submit ticket request not more than 1 week mod_ruid2 added in cloudlinux modhostinglimit

I have activated mod_ruid2 on one server and a user is having problems with his cgi scripts. This is in the domain error log:

(13)Permission denied: exec of '/home/user/domains/domain.com/public_html/cgi-bin/count/tc.cgi' failed, referer: http://www.domain.com/
Premature end of script headers: tc.cgi, referer: http://www.domain.com/

The cgi-bin folder has 711 permissions and the cgi script 755 permissions.

Any thoughts?

(13)Permission denied: exec of '/home/user/domains/domain.com/public_html/cgi-bin/count/tc.cgi' failed, referer: http://www.domain.com/
Premature end of script headers: tc.cgi, referer: http://www.domain.com/Before we can say whats the problem we would like to see what the first 5 lines are.

Having you this problem since you are using mod_ruid2 or not?
I can also remember something about
chmod 711 /usr/sbin/suexec and then restart HTTPd.

I don't understand what you mean with "what the first 5 lines are".

Yes, this started happening right after installing mod_ruid2. I have chmoded /usr/sbin/suexec to 711 and restarted httpd but the problem persists.

ls -l /home/user/domains/domain.com/public_html/cgi-bin/count/tc.cgi

???

This is the result


-rwxr-xr-x 1 user user 8624 Feb 15 2010 /home/user/domains/domain.com/public_html/cgi-bin/count/tc.cgi

I don't understand what you mean with "what the first 5 lines are"Please show the first 5 lines of the CGI file (source)

And httpd.conf for that domain will you show?

These are the first 5 lines of the cgi file:


#!/usr/bin/perl
#
################################################ #####################
###
###


This is the httpd.conf (I have changed IP, user and domain):


<VirtualHost 000.000.000.000:80 >


ServerName www.domain.com
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /home/user/domains/domain.com/public_html
ScriptAlias /cgi-bin/ /home/user/domains/domain.com/public_html/cgi-bin/

UseCanonicalName OFF

#SuexecUserGroup user user
RMode config
RUidGid user user
RGroups apache
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log

<Directory /home/user/domains/domain.com/public_html>
Options +Includes -Indexes

php_admin_flag engine ON
<IfModule !mod_php6.c>
php_admin_flag safe_mode OFF
</IfModule>
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f user@domain.com'


php_admin_value open_basedir /home/user/:/tmp:/var/tmp:/usr/local/lib/php/


</Directory>



</VirtualHost>

Thanks a lot for your interest!

What do you get if you do
ls -lah /usr/bin/perl

This is the result:


-rwx---r-x 2 root apache 19K Sep 28 14:53 /usr/bin/perl

chmod 755 /usr/bin/perl

I think that's it. Thanks!!

I think that's it. Thanks!!Also it should be root:root and not root:apache
chown root:root /usr/bin/perl

Also it should be root:root and not root:apache
That shouldn't really matter; apache has the same permissions under both ownership scenarios.

Jeff

I'm having another issue with a client. He says that after installing mod_ruid2 the emails sent from php forms are now sent from "username@server.hostname.com". Do you guys know if this has anything to do with mod_ruid2 and if yes, how to solve it?

Thanks again :)

I'm having another issue with a client. He says that after installing mod_ruid2 the emails sent from php forms are now sent from "username@server.hostname.com". Do you guys know if this has anything to do with mod_ruid2 and if yes, how to solve it?

I am running suphp, and have the same "problem". All emails sent from php scripts has "username@server.hostname.com" as sender. I do not know if it is possible to change this on a server with more then one user.

use smtp auth, that should be about a normal way to go out using php function instead smtp one... cause with that you can track what user using those functions for better find out spammers :)

Ok that sound very bad english, hope is enough clear

Regards

Not all scripts can use smtp....

Try to add in exim.conf code below. For me it's fixed issue with sender


local_from_check = false
local_sender_retain = true
untrusted_set_sender = *


Maybe Jeff will comment and suggest better solution.

It looks okay but I'm not sure where you put it. Let me know and let me know if it continues to work for you without other changes.

Also, does it require mail be accepted from 127.0.0.1?

Jeff

I put it after this:


# TRUSTED USERS
trusted_users = mail:majordomo:apache:diradmin

And does it require the 127.0.0.1 setting in exim.conf?

Jeff

if you mean about this:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

Then yes, i have it in my exim.conf and i didn't tried without 127.0.0.1

I just installed mod_ruid2 using this How to.

The sessions which where stored in /tmp made errors because of the now wrong ownership (I guess)
removing all sess_* files in /tmp resolved the issue.

Exim stopped recieving mails and this resolved it:
http://help.directadmin.com/item.php?id=245

I see some httpd owned by the users when I use
top
But the ones that are using cpu% are owned by apache.


6045 apache 20 0 199m 54m 4912 S 25.6 0.9 1:14.40 httpd
8868 apache 20 0 202m 57m 4912 S 18.3 1.0 1:05.12 httpd
10400 apache 20 0 197m 52m 5496 S 14.0 0.9 0:26.75 httpd
10401 apache 20 0 198m 53m 5572 S 11.3 0.9 1:18.23 httpd
5661 apache 20 0 198m 54m 5308 S 10.6 0.9 1:26.22 httpd
10572 apache 20 0 196m 51m 4660 S 9.6 0.9 0:20.64 httpd
5861 apache 20 0 199m 54m 4880 S 9.0 0.9 1:16.68 httpd

Is everything running as it should?

i dont get how exim should stop on mod_ruid edit, maybe there was something related to exim in tmp folder...

Btw:

1. i suggest you to use htop ;)
2. you should see some process hadled by single username (had you restarted apache? Any error?
3. check yor /etc/httpd/conf/httpd.conf for the mod_ruid related line
4. had you changed the httpd template and rewrite all of them for existing user?
5. no more ideas... :)

Regards

1: htop is not installed on my Centos box
2: I see some and I restarted apache with no errors
3: I did the check as per the how to
4: I have followed the how to and didn't get any errors. If I see some process handled by the users mod_ruid2 is working right?

I copied the templates to a folder called custom and edited the originals. Wasn't that the point?

Thanks for the quick reply :)

no, the point is copy the original to custom directory and edit the one in custom :)

Directadmin re-create the httpd confs checking first custom, and, if custom doesnt exist will take the original.

About htop, was just suggesting to use that, at my opinion, work much better.

Regards

I edited the files in the custom folder and did the how to again from that part.
I installed htop and it looks great :)



1 [||||||||||||||||||| 21.8%] Tasks: 129 total, 1 running
2 [|| 1.0%] Load average: 0.31 0.33 0.35
3 [ 0.0%] Uptime: 8 days, 06:50:01
4 [ 0.0%]
5 [||| 1.9%]
6 [| 0.1%]
7 [ 0.0%]
8 [ 0.0%]
9 [ 0.0%]
10 [ 0.0%]
11 [ 0.0%]
12 [ 0.0%]
Mem[|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||1601/5952MB]
Swp[||||| 163/3071MB]

PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
14004 apache 20 0 197M 52992 4440 S 0.0 0.9 0:03.91 /usr/sbin/httpd -k start -DSSL
13998 apache 20 0 143M 53684 4532 S 0.0 0.9 0:05.02 /usr/sbin/httpd -k start -DSSL
14002 apache 20 0 144M 54428 4568 S 0.0 0.9 0:03.98 /usr/sbin/httpd -k start -DSSL
15011 mysql 20 0 864M 125M 3648 S 0.0 2.1 3:30.00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/server5.infoland.dk.err --pid
13990 apache 20 0 146M 56268 4588 S 0.0 0.9 0:04.16 /usr/sbin/httpd -k start -DSSL
13987 apache 20 0 148M 58356 4408 S 0.0 1.0 0:06.58 /usr/sbin/httpd -k start -DSSL
14005 apache 20 0 144M 53848 4352 S 6.0 0.9 0:04.29 /usr/sbin/httpd -k start -DSSL
13986 apache 20 0 140M 50648 4632 S 2.0 0.8 0:04.95 /usr/sbin/httpd -k start -DSSL
14006 apache 20 0 143M 53664 4388 S 0.0 0.9 0:05.19 /usr/sbin/httpd -k start -DSSL
13994 arrild 20 0 142M 52624 4400 S 0.0 0.9 0:04.00 /usr/sbin/httpd -k start -DSSL

arrild is one of my users

Check with a PHP script:

<?php
system("id");
?>

Save it in public_html and trigger it with your browser.

seems to be working correctly so :)

Check with a PHP script:

<?php
system("id");
?>

Save it in public_html and trigger it with your browser.

I get:

uid=505(infoland) gid=506(infoland) groups=501(apache)

infoland is the correct user

so mod_ruid is working correctly ;)

htop already gave the answer to this, but now, you can be 100% sure :)

btw, looking on your htop... you got a six-core xeon with vt technology enabled right? :)

Here I am again with a question regarding mod_ruid2 ;)

I am also using mod_security and am seeing these lines in the error logs of various domains:

ModSecurity: Failed to access DBM file "/tmp/global": Permission denied
ModSecurity: Failed to access DBM file "/tmp/ip": Permission denied

Those files exist in /tmp but have root ownership. Does anyone know how to solve this issue?

Thanks :)

I seem to get 403 errors everywhere.
Things screwed up my permissions.
Any idea's on how to fix this?

Hi

Simple question, for experts in mod_ruid2 ...

I've already install it on some VPS, and all happens very good, I just have to delete all sessions just after installation.

Now, I had a problem in my main server. When I install mod_ruid2, all was stopped after I change template files.

So : is it possible, to install mod_ruid2, then modify only for one domain, or one user account ?

So I can check error, debugg and install it for all accounts when all is clear.

yes, just edit the httpd.conf for that user (keep in mind that directadmin will overwrite it, dont remember the schedule, maybe on a new domain add).

the file to edit is /usr/local/directadmin/data/users/USERNAME/httpd.conf

Edit this httpd.conf isntead of the template, be sure to edit it correctly.

Regards

Thanks Sellerone, I will try it this week.
Best regards

yes, just edit the httpd.conf for that user (keep in mind that directadmin will overwrite it, dont remember the schedule, maybe on a new domain add).

the file to edit is /usr/local/directadmin/data/users/USERNAME/httpd.conf

Edit this httpd.conf isntead of the template, be sure to edit it correctly.

Regards

First of all thank you for all your help and contributions to this thread. This is my first post.

I also tried to install mod_ruid2 in my debian 5 + directadmin vps and I followed all the tutorial. But all the permissions are wrong now for all the domains. I reverted the settings, deleted the custom .conf files and also checked the httpd.conf files for the problematic domains and seem to be as the original ones.

I get 403 for all the domains now and I don't really know where to follow or what to do.

I restarted httpd, and all seems as it should, but it doesn't. Any help to revert to the original settings?

Thank you in advance!

Ok!

I solved my issue now. I hadn't modified the right virtual_host2.conf files. I modified the ones inside the custom/ folder and now everything works.

But my interest is still there. How to disable a mod applied by apxs? Is there a way to revert to the original?

Thank you!

Yes, just edit the http template, rewrite all httpd confs and comment the line in /etc/httpd/conf/httpd.conf where mod_ruid2 is loaded

This should be enough.

Regards

Yes, just edit the http template, rewrite all httpd confs and comment the line in /etc/httpd/conf/httpd.conf where mod_ruid2 is loaded

This should be enough.

Regards

Thank you!

Has anybody tests about mod_ruid2 vs ITK vs prefork+fast-cgi?

http://www.directadmin.com/forum/showpost.php?p=192487&postcount=37

I installed memcached today and also have mod_ruid2 installed a few days ago.

Do i need to run memcached with a different user now it seems to work. but i'm not sure if it's correct.

#nano /etc/sysconfig/memcached

PORT=xxx
USER="nobody"
MAXCONN=xxx
CACHESIZE=xxx
OPTIONS=xxx


Perhaps this is off-topic? But it's related to mod_ruid2 because this is the reason i'm not sure.

Is it possible to use custombuild to set up mod_ruid2 from DirectAdmin setup? Can a mod_ruid2 setup be updated by custombuild without deleting the custombuild stuff?

We want to make it part of our standard installs starting this weekend if possible. Any help sincerely appreciated.

Please excuse my alternate login; it's me, Jeff <smile>

Jeff

Jeff: I guess this is 'easy' possible with custombuild.

My fast reply would be

Custombuild needs to do

yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.cSome check to see if the install is successfull.

And custom DA template

RMode config
RUidGid |USER| |GROUP|
RGroups apache SuexecUserGroup should be commented.

If you update mod_ruid2, I don't think it will overwrite the configuration, since the configuration is located at the custom DA template, not the main httpd.conf or whatelse.

You don't need to make any changes at the default/main php.ini file, only httpd.conf for loading the mod_ruid2 module.

Kind Regards,
Dave

Jeff on mine installation script i use to install mod_ruid2 from my own repository, use the steps indicated.. and.. download my custom da template from my repo.. so.. on a new install is ok, on an existin one just you will need to rewrite httpd confs using command in post #1

Regards

Jeff on mine installation script i use to install mod_ruid2 from my own repository, use the steps indicated.. and.. download my custom da template from my repo.. so.. on a new install is ok, on an existin one just you will need to rewrite httpd confs using command in post #1Thanks for posting this :)

Indeed, and this makes it still easy to install/update mod_ruid2 with custombuild. When this is added you can remove suPHP in my opinion, since mod_ruid2 never used it again :P Or you could 'default' enable mod_ruid2 with new installs.

Sure integrate mod_ruid2 with default installation should be very appreciated for many of us and very helpful for people that dont know what is and that is needed :)

Or, if not default, installable via custombuild as for suPHP and now for clamav...

Should be nice yes.

Regards

Hi all,

Two of my servers has been injected "PHP DoS, Coded by EXE" php codes few days before, I just search those files and deleted them.

Those files are injected into folders that's permission is 777 and owned by user apache.

May i know that implementing mod_ruid2 and reset those folders to owned by user and permission with 755 can solve such php injection problem?

Any performance impact compare with standard custombuild

Thanks you all and have a good day.

Hi all,
May i know that implementing mod_ruid2 and reset those folders to owned by user and permission with 755 can solve such php injection problem?


it's seem not,
because injection depend on your web script

it's seem not,
because injection depend on your web script

you mean this php injection is not / may not caused by folder 777 and cracker use this 777 folder to put php script through apache?

you mean this php injection is not / may not caused by folder 777 and cracker use this 777 folder to put php script through apache?

as far as i know, php shell can enter to server is caused by web script that vulner and not just about file folder permission.

and with mod_ruid until now, i do not find any incident that user can change file/folder owned by them to apache

Thanks, all. I won't be getting around to doing the install until sometime next week; I'll come back with questions.

Jeff

First of thanks very much for the howto. It works like a charm. I just installed it on my server and tested it and all my sites work ok.

The only issue is that i don't see anything show up htop/top other than the default usernames. but when i run the php file i get this output:


uid=503(gayan) gid=503(gayan) groups=48(apache)

which suggests everything is working correctly.


Oh and i think you need to modify your permission setting commands to do the same for private_html as well:


find /home/*/domains/*/p*_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/p*_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/p*_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/p*_html;}; done;

i use different folders to put https content so needed to run this as the given command only worked for public_html

Jeff: I guess this is 'easy' possible with custombuild.

My fast reply would be

Custombuild needs to do


yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c
Some check to see if the install is successfull.

And custom DA template

RMode config
RUidGid |USER| |GROUP|
RGroups apache
SuexecUserGroup should be commented.

If you update mod_ruid2, I don't think it will overwrite the configuration, since the configuration is located at the custom DA template, not the main httpd.conf or whatelse.

You don't need to make any changes at the default/main php.ini file, only httpd.conf for loading the mod_ruid2 module.

Kind Regards,
Dave
I'm more than a bit lost. I know I can do the first part (wget) before I run setup, but I have no idea where the second part (the template) is. Please help; I'd like to get this done today if possible.

Jeff

To clarify: If possible I'd like an exact cookbook for changes to make it just work in the original DirectAdmin install, as well as when updating through custombuild. The latter is important; I can't afford to break anything when updating through custombuild.

Thanks.

Jeff

To clarify: If possible I'd like an exact cookbook for changes to make it just work in the original DirectAdmin install, as well as when updating through custombuild. The latter is important; I can't afford to break anything when updating through custombuild.

Thanks.

Jeff

I think i can help you with that. I had to reinstall my server today cos when i try to upgrade MySQL it crashed.

OK here's the process. Install DA, then install mod_ruid2 with the following commands:


yum -y install libcap-devel
wget http://dave.t0xic.nl/tars/mod_ruid2-0.9.3.tar.bz2
tar xjf mod_ruid2-0.9.3.tar.bz2
cd mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c

then modify the 4 virtual_host2 files inside the templates folder to look like this:
virtual_vhost2.conf the changes are highlighted in red

|?DOCROOT=`HOME`/domains/`DOMAIN`/public_html|
|?OPEN_BASEDIR_PATH=`HOME`/:/tmp:/var/tmp:/usr/local/lib/php/|
<VirtualHost |IP|:80 |MULTI_IP|>
|CUSTOM|
|?CGI=ScriptAlias /cgi-bin/ `DOCROOT`/cgi-bin/|
ServerName www.|DOMAIN|
ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|
ServerAdmin |ADMIN|
DocumentRoot |DOCROOT|
|CGI|

|USECANONICALNAME|

#SuexecUserGroup |USER| |GROUP|
RMode config
RUidGid |USER| |GROUP|
RGroups apache
CustomLog /var/log/httpd/domains/|DOMAIN|.bytes bytes
CustomLog /var/log/httpd/domains/|DOMAIN|.log combined
ErrorLog /var/log/httpd/domains/|DOMAIN|.error.log

<Directory |DOCROOT|>
Options +Includes -Indexes
|*if CLI="1"|
php_admin_flag engine |PHP|
<IfModule !mod_php6.c>
php_admin_flag safe_mode |SAFE_MODE|
</IfModule>
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'
|*endif|
|*if OPEN_BASEDIR="ON"|
php_admin_value open_basedir |OPEN_BASEDIR_PATH|
|*endif|
|*if SUPHP="1"|
suPHP_Engine |PHP|
suPHP_UserGroup |USER| |GROUP|
|*endif|
</Directory>
|HANDLERS|
|MIMETYPES|

</VirtualHost>



and finally issue

chown -R diradmin:diradmin custom/
and you can start creating new users. That's it. Also the directory/file permission should be changed inside *_html folders. All files with 0644 and all folders with 0711 as suggested with the how to here.

Thanks. For the moment I'll hope that nothing else need be done since it's a new server :). Now the question is only how do you update it with CustomBuildl without having to set it up over again?

Anyone?

Thanks.

Jeff

Thanks. For the moment I'll hope that nothing else need be done since it's a new server :). Now the question is only how do you update it with CustomBuildl without having to set it up over again?

Anyone?

Thanks.

Jeff

Yes on a new server nothing more needs to be done. If you're doing this on an existing server we need to rewrite each user's httpd.conf and set the permissions for *_html folders. here's how to do it:


cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/p*_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/p*_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/p*_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/p*_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/p*_html;}; done;

on your 2nd query i can give u a hint on how to do it but i'm not a linux guru so i dnt know what are the implications.

1'st do a

grep 'mod_ruid2' /etc/httpd/conf/httpd.conf
If it's installed you'll get an output like this:

LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so

so on an update you can check to see if it's already existing, if so you can skip this step. At this stage i'm assuming that DA will have the updated vhost2.conf and httpd.conf by default.
if so then no additional work needs to be done even if apache is updated (I assume an apache update won't delete /usr/lib/apache/ folder and only overwrites the content)

Also you could just look for /usr/lib/apache/mod_ruid2.so file and if it exists then the plugin is installed. all you need to do is rewrite the httpd.conf files.

I think the best option is the 2nd one. even if the httpd conf didn't have the line you would know that the plugin is already installed. hmmmm this can be used as a verification method too and could be used to correct issues.

I've updated httpd many times since I use this ruid setup. It's not being effected by it. I guess only when new config files are being pushed trough, but I don't think that happens too often?

I can confirm what Arieh sayd.

Ive installed mod_ruid2 long time ago and since there ive update apache about 3 times without no need to reinstall/update mod_ruid2.

Regards

Just to confirm from both of you, have placed the httpd.conf in the custom folder after you have installed mod_ruid2?

I haven't, but maybe I should? Either way it doesn't really matter as it hasn't been a problem before, and after an update you can simply check if it's gone.

Thanks,

I don't know the specifics how DA and custombuild works, wanted to get the information so someone could build it with the right set of information available to them.

We like to do automated updates as often as possible, but I think for the future we'll probably do manual updates on new servers, until we know with certainty.

Thanks, everyone!

Jeff

We like to do automated updates as often as possible, but I think for the future we'll probably do manual updates on new servers, until we know with certainty.

Thanks, everyone!

Jeff

CustomBuild doesn't touch custom templates (/usr/local/directadmin/data/templates/custom), and without "./build rewrite_confs" /etc/httpd/conf/httpd.conf is not rewritten. Copy your httpd.conf to /usr/local/directadmin/custombuild/custom/ap2/conf and it will have the mod_ruid2 changes even after "./build rewrite_confs".

Thanks, Martynas! I'll do that.

Jeff

I want to run a CGI script now but it doesn't work because:
[2011-07-06 08:54:21]: user mismatch (pietje instead of apache)

I can change the file to apache owner.. but is this how i need to do this?
My has 755 as permission...

What should i do?:eek:

or do i need to change group for the cgi dir in that domain?

Then your configuration is probably not correct.
Since normally if you reach the file by the URL (domain) it should be user 'pietje' and not apache.

I guess you are trying to reach the file with the temp url like: http://hostname.domain.tld/~username/ ? (then it doesn't work)

Have you done all steps also the templates?

no i'm working with a plain .com domain.

I have done all steps, but that was a while ago, i now created this new reseller... perhaps i need to do the steps again? Also i update directadmin a few times perhaps that overwrite the templates... i will try to do those steps again!

Somehow it seems all templates are back to the old once... perhaps because of this directadmin updates?

I will redo the steps...

Somehow it seems all templates are back to the old once... perhaps because of this directadmin updates?

I will redo the steps...Then you didn't follow the steps correctly. Since I've wrote everything with custom directory (so it won't be overwritten)

Ok i think i did it again wrong...

because i thought you ment: copy all to costum so you have a backup...

Can i redo the those steps? will it break something?

*YESS it worked!
perhaps a good idee to make it a bit clearer? Ok perhaps it's just me, but i somehow though you ment change the files you copy-ed.. i thought you ment the original files.. :)

*YESS it worked!
perhaps a good idee to make it a bit clearer? Ok perhaps it's just me, but i somehow though you ment change the files you copy-ed.. i thought you ment the original files.. :)As you can see with the steps, I copy-ed the files to 'custom' directory so they won't be overwritten. And the files IN 'custom' you should edit.

Then you need also to rebuild your HTTPd configurations

Now copy the template files to custom
Quote:
cd /usr/local/directadmin/data/templates/
cp virtual_host2* custom/
chown -R diradmin:diradmin custom/

Now you have copied the original templates to the 'custom' directory, so they won't be overwritten.



It is clear enough.

Sure, maybe put a

cd /usr/local/directadmin/data/templates/custom/
after

Now follow the steps below for each virtual_host2 file you've copied

Should be helpful for who didnt get what you meant.

Regards

SeLLeRoNe thanks, I've added to my first post ;)

i just notice i now have problems with access the /squirrelmail
I changed some of the owner/groups so the users could access his mail.

But is it possible to still run squirrelmail now every user has different owner and group? Before squirrelmail was webapps owner and group also all files in it.. but now when a users access /squirrelmail the user is different depending on the domain it access! So what do i need to do with /data dir? (/var/www/html/squirrelmail-1.4.21/data)

Anyone here tried to get a per-user php.ini work with mod_ruid2?

I have an account that requires certain php values to be modified:

register_globals=On
max_execution_time=30
max_input_time=60
magic_quotes_gpc=On
session.gc_maxlifetime=1440

How do you guys accomplish something like this per user?

@skaag

if you use mod_php + mod_ruid2
you should use .htaccess to change php variable per user

Excellent - That works well.

Thanks :-)

@skaag

if you use mod_php + mod_ruid2
you should use .htaccess to change php variable per userYou can also use the 'Custom HTTPd' option in DirectAdmin controlpanel for the admin.

Just found this out. For the webapps to run under webapps under the domain.tld/roundcube you need to add in /etc/httpd/conf/httpd.conf

In the


<Directory "/var/www/html">


RUidGid webapps webapps

so you have it like this


<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>


Makes sense, as you can see this was already done for suPHP.

Just found this out. For the webapps to run under webapps under the domain.tld/roundcube you need to add in /etc/httpd/conf/httpd.conf

In the


<Directory "/var/www/html">


RUidGid webapps webapps

so you have it like this


<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>


Makes sense, as you can see this was already done for suPHP.

Thx! i will do this also!
Yep this works perfecT! thx :-)

I always get the following error:

Permission denied on /

Then in the error log is:

[Thu Jul 21 18:11:23 2011] [crit] [client 71.202.43.154] (13)Permission denied: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

The error presists across all domains and users...

Does anyone have a proper guide from switching from suphp to ruid2?

The first post doesnt help?

Did u comment SuexecUserGroup |USER| |GROUP| in http template?

The specific file is owned by the user that own the domain?

Webpaged are online or you have problem on see website? Or is just this voice in the log?

Regards

All pages come up with "Permission denied on /"

There was no suexec stuff in my template and I disabled suphp and removed loadmodule line for suphp.

Still not sure whats going on...I will have to try some things in the middle of the night to see if I can figure out why its not working. I wonder if it has something to do with the secure access group.

No, is working correctly with me, usually when i got a permission error is cause the files are not 644 and the folders are not 755.

What apache log say?

I can check your box if you want/need.

Regards

This is one gorgeous thread. It is so totally logical to have MOD_RUID2 be part of the PHP CLI custom build install. It has the security advantages of suexec and more with none of the drawbacks. It paves the way for installing WebDAV right along with it. WOW! You don't run across long hanging fruit like that very often.

Hello,

Having the ability to run php with CLI (more efficient than suPhp), but running as the User has clear advantages (write permissions) and also lets the secure_access_group option make home directories be more secure (without needing open_basedir, but keep it on). The only catch is the fact that apache would be running as root (don't quote me on this, I'd need to do some homework), but if there are any exploits in apache, ssl or a module, that would be a wide open door for full access to your box. I'm sure that they've taken as many security precautions as they can, but that fact still worries me slightly. (again, I'll have to read up on it to see if this worry is substantiated). If not, then we can look into it for a new project as a custombuild install option.

John

Hi John,

i know you sayd dont quote but.. afaik.. mod_ruid make apache run just as is, user/grou apache ... at least that is what i see from my http.conf (using mod_ruid2)


>cat /etc/httpd/conf/httpd.conf | grep User
User apache
>cat /etc/httpd/conf/httpd.conf | grep Group
Group apache
>cat /etc/httpd/conf/httpd.conf | grep ruid
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so


I can totally say that security has been incresed when ive started use mod_ruid2. (actually i had nothing before cause didnt want suphp) but, is working very well and user apache process are just under the user who started it.

I would suggest to implement that, and, if you need i can write you an email with the steps i use and my confs files for a check.

Regards

Hello,

Having the ability to run php with CLI (more efficient than suPhp), but running as the User has clear advantages (write permissions) and also lets the secure_access_group option make home directories be more secure (without needing open_basedir, but keep it on). The only catch is the fact that apache would be running as root (don't quote me on this, I'd need to do some homework), but if there are any exploits in apache, ssl or a module, that would be a wide open door for full access to your box. I'm sure that they've taken as many security precautions as they can, but that fact still worries me slightly. (again, I'll have to read up on it to see if this worry is substantiated). If not, then we can look into it for a new project as a custombuild install option.

John
As I read, only exploit to SSL module can lead to root access, but still it can be abused. Anyhow, I'd like to see that as an option!

I'd think it would be wise to indeed dive into this security issue. If you read the readme of mod_ruid2 it says something about this. (by the way theres a new version .4, start post contains .3).

Anyway to qoute the README:


there are some security issues, for instance if attacker successfully exploits the httpd process,
he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
or something..

I've ran some test and talked about it in this thread (http://www.directadmin.com/forum/showpost.php?p=205195&postcount=912), and if you don't have the php function dl disabled, you can set the uid to root using a comiled .so. See the topic for more information.

I don't consider myself an experienced security expert; so I think someone who is should really be consulted (or maybe John is), before rolling this out to everyone.

"...The only catch is the fact that apache would be running as root...if there are any exploits in apache, ssl or a module, that would be a wide open door for full access to your box.
I've read that, but I'm not sure how that is so different from the current situation?


"...running as the User has clear advantages (write permissions) and also lets the secure_access_group option make home directories be more secure
I agree. I like it that suEXEC covers CGI/SSI files, but for the other files, neither the current CLI nor suEXEC method covers those. Currently, we need to coordinate two incompatible security matrixes. And how difficult, is it to detect which user web applications are running on a site, and know where to check for improperly secured security/configuration/data files? With mod_ruid, security would be far more straightforward. That itself is a big security advantage. Not having to deal with two incompatible security matrixes also enables technologies such as WebDAV, and more.


,,,(without needing open_basedir, but keep it on)
I agree wholeheartedly. Even if you could be sure there would never be a module vulnerability, with thousands of directories, how could one possibly manage security, or locate the source of an exploit? open_basedir clearly documents where access is possible.

Other:
The current dilemma is choosing between performance and compatibility of CLI, or security with suexec. mod_ruid solves both, and more.

For those who don't understand the extra security risk by using this mod;

mod_ruid2 uses POSIX capabilities to swap uids of processes. With the intended use only normal users will get swapped. But because scripts are executed; php/cgi - theres a problem. These scripts can hijack/access the uid swapping stuff because of mod_ruid2. So with an evil script, and not secured, you can swap to root.

It would be a good idea for people to read the README of the software you install. Apparently no one (except John mentioned it) in this thread knows about this or cares about it. It would be comforting if someone knew about this issue and whether its a true risk, and if theres something you can do about it. I've made an attempt to find it out as I pointed out in my previous post, but there has been nobody saying something about it, unfortunately.

For those who don't understand the extra security risk by using this mod...It would be comforting if someone knew about this issue and whether its a true risk, and if theres something you can do about it. I've made an attempt to find it out as I pointed out in my previous post, but there has been nobody saying something about it, unfortunately.
I noticed during my Googling that mod_ruid appears to be an option with Plesk/Parallels. That might be a good place to learn how they handle these issues.


With the intended use only normal users will get swapped. But because scripts are executed; php/cgi - theres a problem. These scripts can hijack/access the uid swapping stuff because of mod_ruid2. So with an evil script, and not secured, you can swap to root.From the README:

there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
One cannot determine from that if the risks greater or less than suEXEC, which is a wrapper that does the same thing. One would THINK there would be little point in developing mod_ruid2 if it were easy to exploit, which is why the odds are that it would be worth the time to investigate. One might even counter by saying that logically mod_ruid2 might be less susceptible to exploit because it has the potential to run earlier because the file extension is not a consideration, and also because the file extension type is not a consideration. One might conclude from these two factors that it would be logical that mod_ruid2 would have a smaller attack surface.

I noticed from one of the threads you referenced where you attempted to change users from within a script but where unsuccessful. PHP POSIX is installed on all of our DA machines without mod_ruid2 being installed.

I agree that as with anything that has to do with computers, if you don't do your homework, things can go very wrong. :D

Things that I do know:

1)
I've read that, but I'm not sure how that is so different from the current situation?If there is an exploit, they'd be in, running as apache. If there is an exploit with mod_ruid2, they'll be running as root... and there isn't much to slow that case down.

2) Comparing mod_ruid2 vs suexec, I have personally gone through the suexec.c file, one line at a time (when we had implemented the chroot jaling system). The difference with suexec is that the process runs as apache right up until the last moment, well after all requests have been made and things are all ready to go. Only then does the suexec binary get called, with all of it's internal checks for uid values, path values etc... So the "exploit" part would be have been done prior, during the "apache" time.

With ruid, I'm not 100% sure when the change to the User happens, but it would have to happen after the request has been made... so after things are parsed, etc... During the parsing, reading, and processing, the process would be running as root. The most likely place for exploits is at connction time (if it's an ssl issue) or parsing, if it's a buffer overrun, etc... and that's really the issue in my mind. Again, I have not gone through the mod_ruid2 code like I have with suexec, so cannot say for sure where it stands.... but if the author states these exact issues, eg: "if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root", then my thoughts are likely substantiated. It's just one less layer of security... as I'm sure mod_ruid2 has done many checks, and it, in itself is probably secure, but missing that extra layer would concern me. From what I understand, the process (after an exploit) would only need to make a call to seteuid(0) to get root. (apache may run with euid as apache, but the true uid is likely root/0, hence seteuid works to get root, from non-root).

Anyway, as long as people are aware of this potential issue, they can ensure they keep everything completely up to date, the chances of risk would go down. If we implement it, it wouldn't likely be default setting, but having it as a custombuild options.conf setting sounds feasable.

John

I appreciate you taking the time to explain your point of view. I agree that it is logical that the UID change would happen early. My point of view is that logically, the code would drop from root to the user level, less than apache, almost immediately. Your point of view is that the earlier it runs, the more vulnerable it would be to buffer overruns. I would have to agree with that too. I would be interested to learn what you discover.

Thanks,
Jack

Hi

Each time I rebuild PHP, I have a problem (I want to install imap, as to use function imap_open() ).


Démarrage de httpd :Syntax error on line 39 of /usr/local/directadmin/data/users/admin/httpd.conf:
Invalid command 'php_admin_flag', perhaps misspelled or defined by a module not included in the server configuration

So I run :

./build rewrite_confs

Then new error message :

Démarrage de httpd :Syntax error on line 29 of /usr/local/directadmin/data/users/admin/httpd.conf:
Invalid command 'RMode', perhaps misspelled or defined by a module not included in the server configuration


Then I rebuild mod_ruid2

cd /root/mod_ruid2-0.9.3
apxs -a -i -l cap -c mod_ruid2.c

It works again... but I have no imap !

So, is it possible to have IMAP with mod_ruid ? I don't know why I can't install it.

I use this to install imap :

# yum install libc-client-devel.x86_64
# ln -s /usr/lib64/libc-client.a /usr/lib/libc-client.a

make clean your install php and compile php with these options in your configure options of php

--with-imap=/usr/lib64/
--with-imap-ssl

if you have an error
# yum install pam-devel
and retry

Hi

I try a new method to add imap

http://www.directadmin.com/imap.txt
then : http://help.directadmin.com/item.php?id=252

And no problem after ./build php

And imap is available, with mod_ruid2.
I don't know what was wrong in the other method.

@pppplus the different is that the help guide created a 'custom' directory instead of using the current 'configure' directory.

Configure directory will be overwritten each build update/update_data.
custom wont be touched, so your changes will be safe.

Ooops, I have a stupid warning !

One customer uses ZenCart, and I have this message


attention : il est possible d'écrire dans le fichier de configuration : /home/username/domains/userdomain.com/public_html/zen-cart/includes/configure.php. C'est un risque potentiel de sécurité- Indiquez les bonnes permissions sur ce fichier ! (Lecture seule, souvent avec un CHMOD 644 ou 444). Vous devrez peut-être utiliser votre panneau/gestionnaire de fichiers ou FTP pour changer les permissions efficacement. Entrez en contact avec votre hébergeur pour de l'aide.

Sorry, it's in french ! But 644 is too high for zencart.
I put it to 444, and warning disappears.

Is it possible, from admin panel in zencart, to overwrite config file, even if 444 instead of 644 ?

444 is just read, panel would not be able in any way to write config.php with those permission.

usually is used cause the config.php file once "set" is not needed to edit anymore.. so, use 644 during install for let it write on it, and move to 444 once install done...

Regards

All works fine now, with mod_ruid2.

Thanks for this How-To


Please, can you add in first post : http://www.directadmin.com/forum/showpost.php?p=206807&postcount=142

Because without this, squirrelmail doesn't work

Worked flawlessly however, as I said in this thread (http://www.directadmin.com/forum/showthread.php?p=209508#post209508) - folders are changed to 711, however, most scripts recommend 755 - this is a bit confusing to the client.

Also, did/does anyone else get the same error from mod_security?

Any sense to use it if I have Apache configured as MPM -worker?

Thanks

Any sense to use it if I have Apache configured as MPM -worker?
Doesn't matter I don't think, but I would recommend using mod_php and mod_ruid2 though, my client is as happy as Larry now he can now install Wordpress stuff without errors.

Any sense to use it if I have Apache configured as MPM -worker?

Thanks

No. It's made for prefork + mod_php.

2 things :

1- I try to reach : http://IP/~username/ (http://87.98.153.75/~bob/)

Forbidden

You don't have permission to access /~bob/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2 Server at 87.98.153.75 Port 80

2- there is a small problem, when we change permission.
All files are checked and move to 644

But some files have to stay in 755 (like cgi)
I have some files, without extension (like request or answer) that required to stay in 755.
So I think all files with 755 must stay in 755. And no be turned to 644.

Thanks if someone has a solution for my 1st problem

Some new details
/home/username is chmod 710
if I modify to 711, I can access to http://IP/~username/

In another server, without mod_ruid2, I can access to http://IP/~username/ even with chmod 710

Can someone explain why this is added to the config:

RGroups apache

This means apache has access to the dir/files? or..

Thanks in advance for reply

Hello Guys,

Just one little question, what about restore of users backups from non mod_ruid servers ?

EG : I have a lot of legacy accounts on a Apache1.3 / PHP4 servers, I want to move them to the new server but I wonder if the httpd.conf of the virtualhosts will be rewritten

Hello,

All httpd.conf files are written based on the templates.
If you're using apache 2, the templates are:
virtual_host2.conf

If apache 1.3:
virtual_host.conf

Related:
http://help.directadmin.com/item.php?id=244

If you've got any custom settings in:
/usr/local/directadmin/data/users/username/domains/domain.com.cust_httpd

then that file is inserted into the |CUSTOM| token of the above template.
The cust_httpd file is maintained over restores, if done at the Admin Level.

Note that the templates are taken from the data/templates/custom folder, if they exist there. The custom templates override the default ones, if they exist.

John

I hav problems with this part:



cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;



exact to mean with

find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;

a get error like -exec needs an argument.


p.s. I`m running on Debian 5.0

a get error like -exec needs an argument.

So none files were found. That's OK, don't worry about it.

Amen brother! :D

Thats good :)

Thank you!

i read on page 6 idea's to add mod_ruid2 to the custom build.. is this still the plan?

Thx

soul:confused:

i read on page 6 idea's to add mod_ruid2 to the custom build.. is this still the plan?

Thx

soul:confused:

Since mod_ruid2 can be used only on Linux, and Directamin supports FreeBSD (mod_ruid2 can not be used on FreeBSD), I guess, custombuild won't support mod_ruid2.

a ofc.. thx..

Hi all,
I am quite new to Mod_Ruid2. I have a working server and need to migrate a suPHP enviroment into a Mod_Ruid enviroment.

The problem I encounter is the following:

Warning: require_once(/home/user1/domains/domain1.com/JPA/dbsettings.php) [function.require-once]: failed to open stream: Permission denied in /home/user2/domains/domain2.com/private/configuration.php on line 30

Now I tried the permision fix, and this seems to fix the issue for a single pageload. However after that it falls back into the permission denied error.

I don't get it why this is happening.
First guess was some sort of custom caching by the script doing a wrong chmod.
This is however not part of the "cross domain webapplication".

Now is my second guess that it happend because a lot of the files are located in a directory that is on the domain root directory (so not under the public_html directory. )
These files are prepanded by htaccess in the main document root.

Can anyone explain me how mod ruid is handled in this case?
Is there perhaps an rights issue and is per requests changing rights outside the public_html directory?

Hope someone can give me an insight.

In the end I made the following (ugly) fix.
Chmod the domain directories for the target user (main application user) with read all access, and this did the trick.

post a ls -l of the directory, with mod_ruid it should be owned by user:user with 755 permission (directory) and 644 (files).

Regards

The problem was that file 1 is owned by user1, and the include is owned by user2.

Thats normal, so yes, you need 777 for allow another user to write in user folder, or, add them to same group.

Regards

Can someone explain why this is added to the config:

RGroups apache

This means apache has access to the dir/files? or..

Thanks in advance for reply

Any ideas?

Yes is for let apache access to files.

Regards

Hello,

Some days ago, I've faced an issue (http://help.directadmin.com/item.php?id=363)with CentOS 6.1 and mod_ruid2, and the guide did not work for me properly. For now I'm still not sure, what was the reason, but I managed to make it work only with such a config:


<IfModule mod_ruid2.c>
RMode config
RUidGid |USER| |GROUP|
RGroups apache access
</IfModule>

but not with


<IfModule mod_ruid2.c>
RMode config
RUidGid |USER| |GROUP|
RGroups apache
</IfModule>

Andrea, could you please check it on your side, and confirm or discard the solution? I've noticed that Apache group and user had guid and uid about 500 or so. Though I did not find any points that the high guid and uid might affect the usage of mod_ruid2. So I'm confused a little bit, why group apache (being included into group access) did not have permissions to access homedirs (http://help.directadmin.com/item.php?id=363).

Where did you add this? In httpd.conf of apache or in the virtual_host2 template?

Ill install a CentOS 6.2 box in few time for test if da work with that and ill add mod_ruid2 on it.

Regards

In virtual_host2 templates.

Nice ive never thot to use an if for mod_ruid2 inside the template.

Actually my template look like:



#SuexecUserGroup |USER| |GROUP|
RMode config
RUidGid |USER| |GROUP|
RGroups apache


Should i ask you how did you set suexec with this if?

Thanks
Im installing 6.2 right now and ill let you know asap.

Here is it:


<IfModule mod_ruid2.c>
RMode config
RUidGid |USER| |GROUP|
RGroups apache access
</IfModule>
<IfModule !mod_ruid2.c>
SuexecUserGroup |USER| |GROUP|
</IfModule>

Great, thanks a lot.

Just installed OS, downloading pre-requisites and ill start install centos 6.2.

Regards

Just tested and seems to work to me with apache (not access) in configuration of virtual_host2 with centos 6.2

Had you notice this error right after centos update?

What group have apache in /etc/httpd/conf/httpd.conf?

It was a fresh installed CentOS 6.x

In /etc/httpd/conf/httpd.conf there was group apache, and when changing it to access, it gave me error forbidden or 500.

Ok, so yes if you change the group in httpd.conf the same must be changed in virtual_host2*.conf

I had noticed that and wrote something about that time ago in this forum.

Now, im curios, is necessary to change the apache group to access in httpd.conf? Cause, if yes, should be done automatically by custombuild once access group is on.

Why did you changed that?

Regards

I was searching for a solution, that's why I changed it from apache to access, and then from access to apache. I searched the forums, but I could not find your explanations on the subject of necessity to change group in httpd.conf to access. I was short of time in order to sort out the things, once I've managed to make it to work, I've left with the config, I've posted above.

I have no idea what was wrong, as I did it several times (before) following the guide, and everything worked ok. It was the first time, when I faced the issue. So I guess I need to set up a test box for making investigations.

Ok, im unable to find that post too.. that's courios... da staff solved that issue long time ago for me cause i had missed to put the rmode in all virtual_host2 confs (i did just for main domain not for subs).

What is in httpd.conf as group now? if you wanna do some test you should use my vm with centos 6.2 if you want.

Let me know by pm if you need it.

Regards

It was left working with

User apache
Group apache

Andrea, thanks for your suggestion. I want to re-produce the issue, and if you say, that it's working OK at your side... I'll update you with results, as soon as I finish, and then I'll see if I need your VM.

CustomBuild 2.0 RC1 is ready and should be uploaded to DA servers this week. It includes mod_ruid2 support (mod_ruid2=yes/no in the options.conf file). However, the system will need to run DA 1.40.2 (or pre-release binaries) for it to work, because mod_ruid2 needs modified templates.

Very nice! Thanks for your work :)

Would mod_ruid2 work with both PHP5.2 & PHP5.3 on the same DA installation?
has any1 tried this...?

Would mod_ruid2 work with both PHP5.2 & PHP5.3 on the same DA installation?
has any1 tried this...?

No, it wouldn't. Unless you need an additional instance of PHP for 1 user only.

so this (http://www.directadmin.com/forum/showthread.php?t=39017&page=1) won't work?

Yes, but just one user will use the php-cgi installed.

Regards

Would mod_ruid2 work with both PHP5.2 & PHP5.3 on the same DA installation?
has any1 tried this...?

A week ago or so, I've done PHP5.3+mod_ruid2 and PHP5.2+mod_suPHP (both versions on one server), and a plugin to switch the versions for one of customers of mine. If you want it, I can do it for you too.

And was you able to use for every user you want? Cause the trouble i get is to set in suphp.conf the user (one i suppose can be specified) that will use suphp instead or cli.

Regards

Yes, I've found a solution (sorry for some reasons I won't share it for free at least for now). Every user can switch the versions of PHP in Directadmin.

NP i really dont need it, cause i had to use 5.2 with just one user, but was curios to understand if you did found a solution or i had bad understood :)

Regards

I will share it for free:


cd /usr/local/directadmin/custombuild
wget -O suphp-0.7.1.tar.gz http://files.directadmin.com/services/custombuild/suphp-0.7.1.tar.gz
tar xzf suphp-0.7.1.tar.gz
cd suphp-0.7.1
wget -O ./src/Application.cpp http://www.custombuild.eu/Application.cpp
../configure/suphp/configure.suphp
make
make install


Restart apache now. CustomBuild 2.0 will probably have an ability to install mod_ruid2+PHP as CGI, but I cannot promiss it to you.

So this will let suphp work with mod_ruid2 without need to edit suphp.conf as you noticed on my server time ago?

Regards

@Martynas, good of you.

Hmm,


# diff Application.cpp Application.cpp-orig
171a172,176
> if (api.getRealProcessUser() !=
> api.getUserInfo(config.getWebserverUser())) {
> throw SecurityException("Calling user is not webserver user!",
> __FILE__, __LINE__);
> }


I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?

So this will let suphp work with mod_ruid2 without need to edit suphp.conf as you noticed on my server time ago?

Regards

Yes, it will. I'll probably modify the file more, but now it is as simple as possible and works well, of course :)

@Martynas, good of you.

Hmm,


# diff Application.cpp Application.cpp-orig
171a172,176
> if (api.getRealProcessUser() !=
> api.getUserInfo(config.getWebserverUser())) {
> throw SecurityException("Calling user is not webserver user!",
> __FILE__, __LINE__);
> }


I've never thought of this way. My solution has nothing in common with modifying suPHP sources at all. Probably, your solution is more effective and/or easier to implement, but I'm not sure. Did you make any test of speed? Isn't too redundant to call suPHP from mod_ruid affected apache process?

PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.

Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks

Last question. Maybe is usefull for someone else aswell.

Those commands have to be run after php-cgi has been installed right? So, is a re-compiled when suphp has been already installed.

thanks

You can run them anytime. It's just a matter of suPHP reinstallation. When I have time, I'll probably modify suPHP script to make it more efficacious and not "reset" the owner of the process to the same one second time. However, it always did that, so it needs to be considered if we should modify suPHP source more, implement our own solution or just disallow users installing a second instance of PHP with mod_ruid2.

PHP-CGI has never been as fast as mod_php, and this solution is the easiest one to implement with current configs, without making them complex. mod_ruid2 is very fast, so it doesn't affect the speed a lot.

Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.

Yes, I agree, that is the easiest one to implement with current configs. But what about security? Would it much better to check minimal UID, let say 500 (taken from config). How much does it make easier to run PHP scripts from superuser name without UID check?

Of course, and it goes without saying, you might want to add a patch into custombuild script (as a standard or an option), in case none issues will come.

It does check if files are not owned by superuser. mod_ruid2 adds the first level of security. Also, suPHP_UserGroup is set in DA templates, so files cannot be owned by any other users.

Yes, you're right. I forgot about check of an owner of a file.

However, that would provide users ability to call suPHP binary file. That might (or might not) be a security issue, and needs further analysis of suPHP code (or just hardening of suPHP binary).

Hello Guys!

Have problem with squirrelmail and temporary link
when I'm using

RUidGid webapps webapps

in /etc/httpd/conf/extra/httpd-vhosts.conf
everytning in /var/www/html working fine
but IP/~username gives forbidden

when using:

RMode config
RUidGid apache access
RGroups apache

temporary links works fine but Squirrelmail doesn't work with: cannot access default.prefs error

/var/www/html has chowned to: webapps webapps

can anyone give solution for both to work normally?
And please add solution to the first post
Thank you

With mod_ruid2, it seems to be impossible to use APC cache.
I read mod_ruid2 is like su-php, and APC cache does not work with APC cache.

Which cache do you use ?
I try eaccelerator on another server (without mod_ruid2) but I have to disable openbasedir, and I can't do this on this server.

So, can you tell me which PHP Cache you use.


To voland : to use IP/~username, you have to turn /home/username to 0711 instead of 0710

I'm beginning to think we may not need open_basedir when using mod_ruid2. Any comments from anyone?

Jeff

mod_ruid2 does not deny "browsing" the server from its root "/" directory

If it's running php as user, then I suppose yes, it could read files readable to any user. So I'm thinking we should still leave it on for users unless they need it off for some reason.

However, didn't I read somewhere that it's deprecated? If so, then what's being suggested to replace it?

Jeff

open_basedir isn't deprecated and isn't going to be either (can't find any clue that it does). Safe mode however is deprecated as of 5.3: http://php.net/manual/en/features.safe-mode

Yes, I confirm that, open_basedir isn't deprecated


+ Runtime tightening of open_basedir restrictions is now possible.
+ open_basedir is now PHP_INI_ALL

http://www.php.net/manual/en/migration53.ini.php


As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR constant as a separator regardless of the operating system.

http://php.net/manual/en/ini.core.php

Thanks. I was simply confused.; I was thinking of safe mode.

Then are the best default settings for new sites in DirectAdmin open_basedir on and safe_mode off?

Jeff

CustomBuild 2.0 RC1 is ready and should be uploaded to DA servers this week. It includes mod_ruid2 support (mod_ruid2=yes/no in the options.conf file). However, the system will need to run DA 1.40.2 (or pre-release binaries) for it to work, because mod_ruid2 needs modified templates.
when should CB 2.0 and/or DA 1.40.2 should be expected...?

I think i have a problem with mod_ruid2.
Installation and conversion of the existing users all a success with thanks to all responses in this thread.
Now my problem:
When i upload files/folders with proftp all new folders get 755 instead of 711.
I am not sure of this is related to my real problem but something i noticed after several ties.
Before installing of mod_ruid2 of for example prestahop with setting all the needed folders 777 during install then after the install magically my local language (dutch) was added to the shop.
After the installation of mod_ruid2 and a fresh install of prestashop my dutch language does not get installed automatic and it is also not possible to add it afterwards.
No errors in the browser or the logs.
Could this be the 755 permissions on the folders?

Sorry forgot it is on Centos 5.7-64 with everything up to date.

We are using the configuration on our hosting servers without any problems. All users are able to install CMS systems etc. No need for chmod 777 since you are using mod_ruid2.

Permission on folders must be 755 and files 644.

Installation is in both situations succeeded and with mod_ruid2 there was no need to set any folders to 777.
Sofar i agree.
Only normally all user folders are 711 after the installation of mod_ruid2 according to the first post except that every new uploaded folders gets 755

Tried a new install of prestashop with all folders set to 711 after upload and problem remains.
Prestashop is not able to add translations without any visible errors.

So far I can remember only the 'public_html' is 711 and other folders IN public_html are all 755.

Just noticed it breaks mrtg.
Images no longer displayed.

Just noticed it breaks mrtg.
Images no longer displayed.Possible the files have wrong permissions. Only the 2 lines you pasted we can't help you. Check log files etc.

I was first trying to solve the problem and just mentioned the problem.

For mrtg to work again the ownership of the mrtg folder has to be set back to root:


chown -R root:root /var/www/html/mrtg

Graphs get updated again and also the png's are build only the page does not show correct and the log says:


[Fri Feb 24 15:03:35 2012] [error] [client xx.xx.xx.xx] (13)Permission denied: file permissions deny server access: /var/www/html/mrtg/memory-day.png, referer: http://xx.xxxx.xx/mrtg/


All files in /mrtg are 644 root:root
Folders are 755 root:root

I got my mrtg dir webapps:webapps just as the other things in /var/www/html like phpmyadmin. The dir shouldn't need root as owner/group for mrtg to work; if it would run as root it can access it anyway and if its another user it doesn't make sense.

I got my mrtg dir webapps:webapps just as the other things in /var/www/html like phpmyadmin. The dir shouldn't need root as owner/group for mrtg to work; if it would run as root it can access it anyway and if its another user it doesn't make sense.Indeed, no files in the /var/www/html/ should be root:root but webapps:webapps, same as the HowTo.

Still running around in circles and not making any progress.

Set the mrtg folder and its files back to webapps:webapps and the html files of mrtg can be displayed now.
As long as mrtg does not touch the generated png's everything works but after the generating of new files by mrtg these files go back to root:root and can not be displayed.
This is the log entry for the failed file:

[Fri Feb 24 20:05:47 2012] [error] [client XX.xx.xx.xx] (13)Permission denied: file permissions deny server access: /var/www/html/mrtg/network-day.png, referer: http://xx.xx.xx/mrtg/network.html

For me it looks like mod_ruid2 does not allow the access to files owned by root although the permission is 644.

I think something is wrong in my setup and this problem emerged after the installation of mod_ruid2 and this mrtg hickup is related to my other prestahop problem

What do you get if you do
ls -lah /var/www/html/mrtg/network-day.png

-rw-r--r-- 1 root root 2,4K feb 24 22:20 /var/www/html/mrtg/network-day.png

I hope you can give me a clue where to look.
Tested with a simple index.html and a .jpg and the moment the .jpg is owned by root perm. 644 the problem occurs.

-rw-r--r-- 1 root root 2,4K feb 24 22:20 /var/www/html/mrtg/network-day.png

I hope you can give me a clue where to look.
Tested with a simple index.html and a .jpg and the moment the .jpg is owned by root perm. 644 the problem occurs.Try this below, can you then open the image in your browser?
chown webapps:webapps /var/www/html/mrtg/network-day.pngIf not then check the mrtg config file if you can set a user/group for the file owners.

The moment i set the ownership to something else then root i can display the image so webapps works and for example apache to.
As far as i know mrtg does not have an option for the ownership of the generated files.

After looking further found this for the cronjob of mrtg and working again.
Cronjob still runs as root but output files are webapps:webapps


/usr/local/mrtg-2/bin/mrtg --user=webapps --group=webapps /var/www/html/mrtg/core/mrtg.cfg >/dev/null 2>&1

Now only the prestasop problem persists.

What about add a script in the crontab to change the ownership after mrtg run? Or, run it with another user?

Regards

What about add a script in the crontab to change the ownership after mrtg run? Or, run it with another user?
Most likely that won't help with the Prestashop issue.

We resolved a similar problem quite some time ago by creative ownerships; perhaps something similar to;

chown webapps:root *
chmod 664 *
Jeff

My suggestion was referred to mrtg and actually yes that wouls solve without any problem the file ownership problem,

Regarding the prestashop problem, ive two suggestions:

1 - check apache logs.
2 - maybe the prestashop installer/installation chmodded some directory to 777 (ex. tmp or uploads) and if mod_ruid2 find dirs with 777 permission it goes error.

For be sure that folder and files got correct permission run:



find /home/*/domains/*/public_html/ -type d -exec chmod 755 {} \;
find /home/*/domains/*/public_html/ -type f -exec chmod 644 {} \;


Regards
This will set all files to 644 and all folders to 755.

Regards

Hey I just wanted to do a follow up on the SSL Forbidden Error, I followed all of these steps and it still didn't work.

I left out one important thing, that I figured out after looking at apache error logs.

http://help.directadmin.com/item.php?id=363

You need to put the modifications


nano -w virtual_host2.conf
## replace line: SuexecUserGroup |USER| |GROUP|
## replace with: #SuexecUserGroup |USER| |GROUP|
## Add the lines below under the just replaced line
RMode config
RUidGid |USER| |GROUP|
RGroups apache

Into EVERY virtualhost file in the /usr/local/directadmin/data/templates/custom/
directory.

After looking further found this for the cronjob of mrtg and working again.
Cronjob still runs as root but output files are webapps:webapps


/usr/local/mrtg-2/bin/mrtg --user=webapps --group=webapps /var/www/html/mrtg/core/mrtg.cfg >/dev/null 2>&1

Now only the prestasop problem persists.

This edit to the coronjob of mrtg solves the display problem and only changes the ownership of the output file.
So mrtg still runs as root and is able to collect everything from the system and makes the output readable via te html pages.

Prestahop is not solved yet but appears to be a bug in the shop software and not a mod_ruid2 problem.
I wish to thank everybody for the suggestions made and for now let this prestahop problem res.

Hello,

I have installed on all my servers the mod_ruid2 function.
Now i have just received a new server and i'm using custombuild 1.2

One step in the how to i can't seem to find.
This this is:
Add the line below between the <Directory "/var/www/html"> and </Directory>
Code:

<Directory "/var/www/html">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
SetEnv PHP_INI_SCAN_DIR
</IfModule>
RUidGid webapps webapps
</Directory>

The line <Directory "/var/www/html"> .... </Directory> is not available anymore in my httpd.conf

I have checked my older servers with custombuild 1.1 and there i can find the line.
But i see many differences between both httpd.conf files, so i'm not sure what to do next.

Any advice?

I've checked my server and I still have /var/www/html in my files.
/etc/httpd/conf# grep /var/www/html /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
/usr/local/directadmin/custombuild# grep custombuild options.conf
custombuild=1.2So it should be there

When i do

grep /var/www/html /etc/httpd/conf/httpd.conf

The Result is

DocumentRoot "/var/www/html"

So i'm missing the part
<Directory "/var/www/html">

If i just can add the needed information below the DocumentRoot line then it's not a problem.
I only need confirmation.

I've noticed that http://dave.t0xic.nl/tars/mod_ruid2-0.9.4.tar.bz2 (from the from page) is now returning a 404. Has this been removed for a reason does anybody know?

Thanks.