How to upgrade your Directadmin server with mod_ruid2

Introduction

In this post I want to introduce you to the Apache module mod_ruid2. Mod_ruid2 is a Apache module for PHP-CLI installations to offer extra security and convenience for customers. In this post we will explain how mod_ruid2 works and how you can install it at your Directadmin server.
When you are using mod_ruid2, the webserver will run under the Apache user, but the files that are executed will run as the Directadmin user. Where in the default PHP-CLI installation everything is executed as the Apache user. Because of this, lower chmod settings are sufficient. Chmod 777 or 666 are never needed with mod_ruid2. Instead, you can use 644 for files and 755 for directories. But permissions can be even lower to make your websites more secure, 600 for files should be possible.

Safety

Mod_ruid2 uses the posix capabilities to switch the Apache child processes to the user id of the Direcadmin user. This method is the reason that mod_ruid2 is so fast compared to other methods such as SuPHP. But this method comes with a security risk. When there is a specific bug within Apache or PHP, it can be possible to be exploid this to swap to the root user. This is only a worst-case scenario, but it is important to prevent it at any moment. Another risk is the user loading a module with the swapping functions, this is why the php function dl() should always be disabled. Luckily, dl() is disabled by default, but it is recommended that you check it, it can be disabled by the enable_dl setting in the php.ini. Another upgrade to the security is to disable PHPs own posix functions, we will explain this in the installation part of this post. Additionally you could disable site access through ip/~user, because mod_ruid2 is not in effect there. If users try to install a CMS there it fill fail.

• In php.ini, make sure enable_dl is set to Off
• Comment out or remove both AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2 lines in /etc/httpd/conf/extra/httpd-vhosts.conf
• Disable posix in php by excluding it at compiling

Installation

Disable posix in php by excluding it at compiling.

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/
cp configure/ap2/configure.php5 custom/ap2/
vi custom/ap2/configure.php5

and add –disable-posix in there, e.g. at the end:

       --enable-sockets \
       --enable-mbstring \
       --disable-posix

Then recompile php to make the posix change live:

./build php n

Next, install all the dependencies.
Under CentOS, Redhat, Fedora or Scientific Linux you can use:

yum install libcap-devel

And for Debian based systems such as Ubuntu and Debian itself:

apt-get install libcap-dev

Download the latest version of mod_ruid2.

cd /usr/local/src
wget http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.8.tar.bz2

Unpack it (change the version if needed).

tar xvjf mod_ruid2-0.9.8.tar.bz2
cd mod_ruid2-0.9.8
apxs -a -i -l cap -c mod_ruid2.c

If it installed correctly, it should say it added a line to the httpd.conf. You can easily check if it’s indeed there by the following command.

grep mod_ruid2 /etc/httpd/conf/httpd.conf

It should output something similar as:

LoadModule ruid2_module       /usr/lib/apache/mod_ruid2.so

Then you need to modify two config files. The first one is the main httpd.conf.
With the following command, we insert RUidGid apache access into the config file in a convenient place.

sed -i 's|\(Group apache\)|


# Mod_ruid
RMode config
RUidGid apache access|g' /etc/httpd/conf/httpd.conf

The second config file we edit, is to make sure web apps like RoundCube/SquirrelMail/phpMyAdmin are being executed as webapps.

vi /etc/httpd/conf/extra/httpd-directories.conf

Look for the <Directory “/var/www/html”> block, and insert the following line:

RUidGid webapps webapps

For example it could look like this:

<Directory "/var/www/html">
    Options -Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

        suPHP_Engine On
        suPHP_UserGroup webapps webapps
        SetEnv PHP_INI_SCAN_DIR

   RUidGid webapps webapps

Then httpd needs to be restarted, so changes we just made are in effect. A good practice is to first run /etc/init.d/httpd configtest, so you can then restart httpd after being sure there will be no config errors.

/etc/init.d/httpd configtest
/etc/init.d/httpd restart

Now we can test if it really works with a php script.
Create a file, e.g. ruid.php in a public_html, and insert the following:

<?php
 mkdir(‘modruid2′);
 file_put_contents(‘modruid2/test.txt’, ‘Hello World’);
?>

Run the script by accessing it through the browser and see if the directory ruidtest and the test.txt file are being made. The owner of the dir/file should be the Directadmin user. You could also try to install a CMS like WordPress and install some plugins, it should all be possible automatically without having to change the chmod.

Converting an existing envoirment

If you want to convert an existing environment, and have users with apache owned files, you can run the following lines to reset all permissions correctly.

cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 755
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
chown -R webapps:webapps /var/www/html/squirrelmail/data