Mod ruid2

Uit Webhosting
Ga naar: navigatie, zoeken

This page is dedicated to the use of mod_ruid2 with DirectAdmin. mod_ruid2 is meant for php-cli installations to offer extra security and convenience for customers. Below you will find a tutorial on how to install it.

Inhoud

Introduction

mod_ruid2 makes sure files through apache are being executed as the user created by directadmin, whereas a default php-cli installation all files are being executed as user apache. Because of this, lower chmod settings are sufficient. Chmod 777 or 666 are never neccery with mod_ruid2. Default chmod values are fine: 0644 for files, 0755 for directories.

mod_ruid2 vs other uid solutions

By default, DirectAdmin also offers a solution for php scripts to be executed as user, with suPHP through php-cgi. However suPHP is very slow in comparison. There are also various other options, mpm-itk for example. For this moment mod_ruid2 seems to be the fastest.

Safety

mod_ruid2 switches httpd's child processes by user id, through posix capabilities. This is the reason why it's so fast, other uid php implementations need to spawn a new child process for each user. But with this swapping method, there also comes a security risk. If there is a bug in apache or php, theoratically this could be exploited to swap to root. It's also necessary to disable the php function dl(), because otherwise a module could be loaded with swapping functions. This is disabled by default, by the enable_dl setting which should be set to Off. Another extra is to disable php's own posix functions. And always keep apache/php updated when there's a security update. Additionally you could disable site access through ip/~user - because mod_ruid2 is not in effect there. If users try to install e.g. wordpress there it fill fail. Also, the author says on the possible swapping exploit, to "use some security patch in kernel (grsec), or something"

  • In php.ini, make sure enable_dl is set to Off
  • Comment out or remove both AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2 lines in /etc/httpd/conf/extra/httpd-vhosts.conf
  • grsecurity: tutorial about it is not present at the time
  • Disable posix in php by excluding it at compiling:
cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/
cp configure/ap2/configure.php5 custom/ap2/
nano custom/ap2/configure.php5

and add --disable-posix in there, e.g. at the end:

       --enable-sockets \
       --enable-mbstring \
       --disable-posix

Then recompile php to make the posix change live:

./build php n

Remember that you can also copy configure/ap2/conf/extra/httpd-vhosts.conf to custom/ap2/conf/extra/httpd-vhosts.conf and also make the AliasMatch changes in there, in case you ever need to rewrite the httpd config files.

The (not too distand) future

Another competitor in the market is PHP-FPM. It will be availble for DirectAdmin in custombuild 2.0, which will be available in beta/rc very soon. The security issue previously mentioned is not in effect. PHP-FPM uses CGI, and the uid of the childs are being set at the moment of spawning, so there is no switching. It may be a bit slower (I have no data on comparison speeds), but definitely not as slow as suphp, because with PHP-FPM childs will stay alive for a while whereas suphp every hit a new child will spawn. Memory may be a factor. Another nice detail is that with PHP-FPM, opcode caching as apc/xcache/eaccelerator will use the shared memory - something not possible with many other CGI solutions. Of course mod_ruid2 also offers this shared opcode caching. Undoubtedly we will be hearing more about PHP-FPM in the future.

How to install mod_ruid2

These steps work for both apache 2.2 and 2.4, with php-cli, using Custombuild 1.1 or 1.2. Custombuild 2.0 contains mod_ruid2 by itself.



Temporarily issue when using DA version 1.43.0

See:

http://www.directadmin.com/features.php?id=1438
http://forum.directadmin.com/showthread.php?t=37467&page=25&p=235715#post235715


First install its dependencies:

CentOS:

yum install libcap-devel

Debian:

apt-get install libcap-dev


Download the latest version of mod_ruid2 in a folder you like, it's only being used to download & install from

wget http://sourceforge.net/projects/mod-ruid/files/latest/download

Unpack it, (change version number if needed)

tar xvjf mod_ruid2-0.9.7.tar.bz2
cd mod_ruid2-0.9.7
apxs -a -i -l cap -c mod_ruid2.c

If it installed correctly, it should say it added a line to the httpd.conf. You can easily check if it's indeed there by the following command.

grep mod_ruid2 /etc/httpd/conf/httpd.conf

it should output something similar as

LoadModule ruid2_module       /usr/lib/apache/mod_ruid2.so

Then you need to modify two config files. The first one is the main httpd.conf.

With the following command, we insert RUidGid apache access into the config file in a convenient place.

sed -i 's|\(Group apache\)|\1\n\n# Mod_ruid\nRMode config\nRUidGid apache access|g' /etc/httpd/conf/httpd.conf

Note: if you have disabled DirectAdmin's Secure Access Group (it's enabled by default on new intalls), then you would use RUidGid apache apache. In case you wonder why these are specified in this config, it's the default which gets overwritten most of the times. When accessing a user's website, this value will be internally overwritten by RUidGid user user. DirectAdmin already has these config lines by default. See for example /usr/local/directadmin/data/users/admin/httpd.conf and look for RUidGid.

The second config file we edit, is to make sure web apps like RoundCube/SquirrelMail/phpMyAdmin are being executed as webapps.

nano /etc/httpd/conf/extra/httpd-directories.conf

Look for the <Directory "/var/www/html"> block, and insert the following line

RUidGid webapps webapps

For example it could look like this:

<Directory "/var/www/html">
    Options -Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
        SetEnv PHP_INI_SCAN_DIR
   </IfModule>
   RUidGid webapps webapps
</Directory>

Again, remember that you can also add this file at configure/ap2/conf/extra/


Then httpd needs to be restarted, so changes we just made are in effect. A good practice is to first run /etc/init.d/httpd configtest -- so you can then restart httpd after being sure there will be no config errors.

/etc/init.d/httpd configtest
/etc/init.d/httpd restart

Now we can test if it really works with a php script.

Create a file, e.g. ruid.php in a public_html, and insert the following:

<?php
mkdir('ruidtest');
file_put_contents('ruidtest/test.txt', 'Hello!'); 
?>

Run the script by accessing it through the browser and see if the directory ruidtest and the test.txt file are being made. The owner of the dir/file should be the DA user. You could also try to install a CMS like Wordpress and install some plugins, it should all be possible automatically without having to change the chmod.

Please note that accessing it through ip/~user won't work. Read under Safety how to disable it if you want.

Converting an existing envoirment

If you want to convert an existing environment, and have users with apache owned files, you can run the following lines to reset all permissions correctly.

cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 755
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done; 

SquirrelMail

Sometimes people run into issues with squirrelmail after switching to mod_ruid2. You can try the following:

chown -R webapps:webapps /var/www/html/squirrelmail/data


Credits go to many people, among them users on directadmin.com/forum/ and webhostingtalk.nl -- and in special mind, who created mod_ruid2, based on mod_ruid and mod_suid2.

--Arie (overleg) 30 jun 2012 18:23 (CEST)

Persoonlijke instellingen
Naamruimten

Varianten
Handelingen
Navigatie
Hulpmiddelen