Introduction
In this post I want to introduce you to the Apache module mod_ruid2. Mod_ruid2 is a Apache module for PHP-CLI installations to offer extra security and convenience for customers. In this post we will explain how mod_ruid2 works and how you can install it at your Directadmin server.
When you are using mod_ruid2, the webserver will run under the Apache user, but the files that are executed will run as the Directadmin user. Where in the default PHP-CLI installation everything is executed as the Apache user. Because of this, lower chmod settings are sufficient. Chmod 777 or 666 are never needed with mod_ruid2. Instead, you can use 644 for files and 755 for directories. But permissions can be even lower to make your websites more secure, 600 for files should be possible.
Safety
Mod_ruid2 uses the posix capabilities to switch the Apache child processes to the user id of the Direcadmin user. This method is the reason that mod_ruid2 is so fast compared to other methods such as SuPHP. But this method comes with a security risk. When there is a specific bug within Apache or PHP, it can be possible to be exploid this to swap to the root user. This is only a worst-case scenario, but it is important to prevent it at any moment. Another risk is the user loading a module with the swapping functions, this is why the php function dl() should always be disabled. Luckily, dl() is disabled by default, but it is recommended that you check it, it can be disabled by the enable_dl setting in the php.ini. Another upgrade to the security is to disable PHPs own posix functions, we will explain this in the installation part of this post. Additionally you could disable site access through ip/~user, because mod_ruid2 is not in effect there. If users try to install a CMS there it fill fail.
- In php.ini, make sure enable_dl is set to Off
- Comment out or remove both AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2 lines in /etc/httpd/conf/extra/httpd-vhosts.conf
- Disable posix in php by excluding it at compiling
Installation
Disable posix in php by excluding it at compiling.
cd /usr/local/directadmin/custombuild mkdir -p custom/ap2/ cp configure/ap2/configure.php5 custom/ap2/ vi custom/ap2/configure.php5
and add –disable-posix in there, e.g. at the end:
--enable-sockets \ --enable-mbstring \ --disable-posix
Then recompile php to make the posix change live:
./build php n
Next, install all the dependencies.
Under CentOS, Redhat, Fedora or Scientific Linux you can use:
yum install libcap-devel
And for Debian based systems such as Ubuntu and Debian itself:
apt-get install libcap-dev
Download the latest version of mod_ruid2.
cd /usr/local/src wget http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.8.tar.bz2
Unpack it (change the version if needed).
tar xvjf mod_ruid2-0.9.8.tar.bz2 cd mod_ruid2-0.9.8 apxs -a -i -l cap -c mod_ruid2.c
If it installed correctly, it should say it added a line to the httpd.conf. You can easily check if it’s indeed there by the following command.
grep mod_ruid2 /etc/httpd/conf/httpd.conf
It should output something similar as:
LoadModule ruid2_module /usr/lib/apache/mod_ruid2.so
Then you need to modify two config files. The first one is the main httpd.conf.
With the following command, we insert RUidGid apache access into the config file in a convenient place.
sed -i 's|\(Group apache\)| # Mod_ruid RMode config RUidGid apache access|g' /etc/httpd/conf/httpd.conf
The second config file we edit, is to make sure web apps like RoundCube/SquirrelMail/phpMyAdmin are being executed as webapps.
vi /etc/httpd/conf/extra/httpd-directories.conf
Look for the <Directory “/var/www/html”> block, and insert the following line:
RUidGid webapps webapps
For example it could look like this:
<Directory "/var/www/html"> Options -Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all suPHP_Engine On suPHP_UserGroup webapps webapps SetEnv PHP_INI_SCAN_DIR RUidGid webapps webapps
Then httpd needs to be restarted, so changes we just made are in effect. A good practice is to first run /etc/init.d/httpd configtest, so you can then restart httpd after being sure there will be no config errors.
/etc/init.d/httpd configtest /etc/init.d/httpd restart
Now we can test if it really works with a php script.
Create a file, e.g. ruid.php in a public_html, and insert the following:
<?php mkdir(‘modruid2′); file_put_contents(‘modruid2/test.txt’, ‘Hello World’); ?>
Run the script by accessing it through the browser and see if the directory ruidtest and the test.txt file are being made. The owner of the dir/file should be the Directadmin user. You could also try to install a CMS like WordPress and install some plugins, it should all be possible automatically without having to change the chmod.
Converting an existing envoirment
If you want to convert an existing environment, and have users with apache owned files, you can run the following lines to reset all permissions correctly.
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 755 find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644 find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \; find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \; find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \; cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done; chown -R webapps:webapps /var/www/html/squirrelmail/data
“Create a file, e.g. ruid.php in a public_html, and insert the following:”
No code underneath that.
The Code:
?php
mkdir(‘modruid2′);
file_put_contents(‘modruid2/test.txt’, ‘Hello World’);
?
Thanks Geert, This code was indeed missing. I have added it to the article.
wget http://sourceforge.net/projects/mod-ruid/files/latest/download
should be something like:
wget mod_ruid2-0.9.8.tar.bz2 “http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.8.tar.bz2″
Hi Bjarne,
Thanks for the report. I have updated the article, also with the newer mod_ruid2 version.
link expired and cant download it…
Hi Antonio,
Which link expired? The mod_ruid2 link still works for me.