[atomic] mod_ruid2 0.9.1-1

[hostingguy]

Thank you for your patience with me, I do appreciate it.

I modified the config to be this:

LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode stat
User apache
Group psaserv
</IfModule>

which doesnt by itself throw any errors, but in attempting to run a php script through each of the 3 methods available to the users in plesk I get very different results. With this, I'm not sure that its actually working as intended - can you give me any guidance?

with the domain set:
- to cgi it did run as the user through /usr/bin/php-cgi

10001 28897 54.0 0.7 229696 13756 ? R 14:26 0:00 /usr/bin/php-cgi

- to apache module it ran the script but I saw no reference to a php process

- to fcgi it was not able to run the script althogh I did see some loose refernces to php created

root 26909 0.1 0.4 158120 8464 ? SNs 14:23 0:00 /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

psaadm 26916 7.2 3.4 236280 61340 ? SN 14:23 0:01 /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

psaadm 26917 0.3 1.5 220628 28544 ? SN 14:23 0:00 /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

psaadm 26918 0.1 0.7 215144 13204 ? SN 14:23 0:00 /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

[Wed Apr 06 14:24:18 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 27223
[Wed Apr 06 14:24:18 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 27224
[Wed Apr 06 14:24:18 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 27225
[Wed Apr 06 14:24:45 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 27226

[paulie]

Hi HostingGuy (if thats your real name...),

I have not used mod_ruid2 at all (I played with mpm-itk for all of about 10 minutes though) so I'm probably not qualified to make comment here, but I will as I've followed this thread with interest (its on my todo list, we still have a lot of Plesk 8.6 servers and I don't like fastcgi).

With your testing, mod_ruid2 is (IMO) only useful in a mod_php environment (Apache module). To test whether its working with Apache module call a php script that creates a file and see who own's that file... it should be the owner of the script (so don't create the script as apache:apache !). I'm pretty certain you will not be

FastCGI may be having problems because its being called by a user instead of being called by Apache, this probably goes back to the limitations of using the "stat" mode rather than the "config" mode. For domains using fastcgi you would use config mode to set the user to apache:apache, for mod_php you'd use the ftp user:psacln and for cgi it doesn't seem to matter.

[paulie]

Sorry,

I meant to also add that there's some guy on the Parallels forums that is trying to sell a module that will write your vhosts for you for mod_ruid, mpm-itk and I think mod_suid.

However, I don't think its the hardest task in the world to do manually,

Paul.

[hostingguy]

Thanks for your comments - just FYI thats not my real name

I did test in apache mode and the file was created as the user.
So at this point its just the FCGI that isnt really working.

I checked out that guys site who is selling that addon, and it says in his help files:

•Fastcgi module is not compatible with mod_ruid2. Therefore for each virtual host a setting should be chosen: PHP support (run as "Apache module")

So it would appear that would be the reason its not working, although I dont know why it doesnt work with fcgi.

So naturally my mind wanders to the following questions:
Is it possible to remove FCGI as an option on the server?
If it is, and you do so, would any sites using FCGI for their php fall back to a different option - and if so what?

would it be as simple as just removing the following packages?

psa-fcgi
psa-mod-fcgid-configurator
psa-mod-fcgid
ruby-fcgi
psa-rubyrails-configurator (removing as dependancy)

[paulie]

Hi,

Plesk 10 allows you to choose the available php handlers for Service Plans, for Plesk 9 (you might want to test this) I think you can remove some or all of those packages to achieve removing fastcgi PHP (because when I've screwed up Plesk 8.6 -> 9 upgrades I've ended up with fastcgi missing).

You can also manually update all domains to not use fastcgi with something like this (very pseudo code)

for domain in `msyql -N -u admin -pPASS -e "use psa; select d.name FROM domains d,hosting h WHERE h.dom_id = d.id AND h.php_handler = "fastcgi"`; do /usr/local/psa/bin/domain -u $domain --set-php-handler apache; done
(The sql is probably ok but the command to switch php handler probably isn't)

--

However, its working for me, default install of mod_ruid2 from Art onto a Plesk 9.5 container, with the domain set to PHP Fast CGI, running a phpinfo page works and when I call "whoami" with an exec command in the same page its showing me that I'm running as the ftp user. I've checked apachectl -t -D DUMP MODULES and ruid2 is there and mentioned.

So I think you only need the vhost.conf for apache module users to trigger for them.

Paul.

[breun]

However, its working for me, default install of mod_ruid2 from Art onto a Plesk 9.5 container, with the domain set to PHP Fast CGI, running a phpinfo page works and when I call "whoami" with an exec command in the same page its showing me that I'm running as the ftp user. I've checked apachectl -t -D DUMP MODULES and ruid2 is there and mentioned.

So I think you only need the vhost.conf for apache module users to trigger for them.

Running PHP scripts as the domain user is actually a feature of using FastCGI instead of mod_php. The code is not using mod_ruid2 when you're using PHP via FastCGI.

[hostingguy]

Hi,
You can also manually update all domains to not use fastcgi with something like this (very pseudo code)

for domain in `msyql -N -u admin -pPASS -e "use psa; select d.name FROM domains d,hosting h WHERE h.dom_id = d.id AND h.php_handler = "fastcgi"`; do /usr/local/psa/bin/domain -u $domain --set-php-handler apache; done
(The sql is probably ok but the command to switch php handler probably isn't)

Paul,

Thanks for your reply - I tweaked your code a bit and this will work (im on 9.x)
This will update all domains that are using FCGI for their php handler to use apache module instead

Code: Select all

DOMAINS=$(mysql -uadmin -p`cat /etc/psa/.psa.shadow` -Ns -Dpsa -e"select d.name FROM domains d inner join hosting h on h.dom_id = d.id WHERE h.php_handler_type = 'fastcgi';")
for DOMAIN in $DOMAINS; do
	/usr/local/psa/bin/domain -u $DOMAIN -www true -php_handler_type module -fastcgi false
done

[breun]

This will update all domains that are using FCGI for their php handler to use apache module instead

I'd just like to warn people that you might break websites in the process as PHP code will run as another user and possibly using different configuration.

[paulie]

However, its working for me, default install of mod_ruid2 from Art onto a Plesk 9.5 container, with the domain set to PHP Fast CGI, running a phpinfo page works and when I call "whoami" with an exec command in the same page its showing me that I'm running as the ftp user. I've checked apachectl -t -D DUMP MODULES and ruid2 is there and mentioned.

So I think you only need the vhost.conf for apache module users to trigger for them.

Running PHP scripts as the domain user is actually a feature of using FastCGI instead of mod_php. The code is not using mod_ruid2 when you're using PHP via FastCGI.

Hi

From my quotation above its a little unclear what I'm talking about, I was pointing out that you could use mod_ruid2 on Plesk 9 and 10 and still offer PHP via FastCGI if someone required it, as so long as you don't use the "stat" mode for mod_ruid2, and you don't put a "config" based vhost.conf onto a domain then the Apache process will run as apache:apache and a fastcgi process can be spawned (but if you create a vhost.conf that sets the apache process to be the ftp user, then PHP via fastcgi will fail).

Hostinguy : Glad it helps.

[hostingguy]

so it seems like every server I install this onto the php FCGI stops working

Code: Select all

[Wed Apr 13 09:17:22 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4108
[Wed Apr 13 09:17:23 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4115
[Wed Apr 13 09:17:31 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4114
[Wed Apr 13 09:17:31 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4105
[Wed Apr 13 09:17:31 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4131
[Wed Apr 13 09:17:31 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4125
[Wed Apr 13 09:17:33 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4122
[Wed Apr 13 09:17:33 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4127
[Wed Apr 13 09:17:33 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4129
[Wed Apr 13 09:17:34 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock, pid: 4132

From the previous comments in this thread it seems like the ruid2 mod shouldnt have any effect on this....


Also I have found that with mod_jk, it breaks that as well and causes segfaults

mod_ruid2 is enabled with these settings

Code: Select all

LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
    RMode stat
    RUidGid apache apache
    RGroups apache psaserv psacln
    RMinUidGid apache apache
</IfModule>

/var/log/httpd/error_log has these lines indicating the overall problem and that a seg fault occured

Code: Select all

[Wed Apr 13 10:24:34 2011] [error] (13)Permission denied: apr_global_mutex_lock(jk_log_lock) failed
[Wed Apr 13 10:24:35 2011] [notice] child pid 608 exit signal Segmentation fault (11), possible coredump in /tmp

[Wed Apr 13 10:25:13 2011] [error] (13)Permission denied: apr_global_mutex_lock(jk_log_lock) failed
[Wed Apr 13 10:25:14 2011] [notice] child pid 6913 exit signal Segmentation fault (11), possible coredump in /tmp

[Wed Apr 13 10:25:26 2011] [error] (13)Permission denied: apr_global_mutex_lock(jk_log_lock) failed
[Wed Apr 13 10:25:27 2011] [notice] child pid 603 exit signal Segmentation fault (11), possible coredump in /tmp

Seg faults show not a lot of useful info in the back trace

Code: Select all

-rw-------  1 user     psaserv 211914752 Apr 13 10:20 core.24951
-rw-------  1 user     psacln  211914752 Apr 13 10:20 core.24953
-rw-------  1 user     psacln  211914752 Apr 13 10:20 core.24955
-rw-------  1 user     psacln  211914752 Apr 13 10:20 core.24956
-rw-------  1 user     psaserv 211914752 Apr 13 10:21 core.24958
-rw-------  1 user     psaserv 211914752 Apr 13 10:21 core.28989
-rw-------  1 user     psaserv 245530624 Apr 13 10:20 core.8793


(gdb) bt
#0  0x00002b9edd9e1a10 in ap_log_rerror ()
#1  0x00002b9ee5ff9200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#2  0x00002b9ee6000d3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
#3  0x00002b9ee60075f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
#4  0x00002b9ee5ff8734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
#5  0x00002b9edd9d7c22 in ap_run_map_to_storage ()
#6  0x00002b9edd9d8d8c in ap_process_request_internal ()
#7  0x00002b9edd9d9110 in ap_sub_req_lookup_file ()
#8  0x00002b9ee31792c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#9  0x00002b9ee31755e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
#10 0x00002b9edd9d55dd in ?? ()
#11 0x00002b9edd9dca0a in ap_run_handler ()
#12 0x00002b9edd9dfe98 in ap_invoke_handler ()
#13 0x00002b9edd9ea958 in ap_process_request ()
#14 0x00002b9edd9e7b90 in ?? ()
#15 0x00002b9edd9e3cb2 in ap_run_process_connection ()
#16 0x00002b9edd9ee809 in ?? ()
#17 0x00002b9edd9eea9a in ?? ()
#18 0x00002b9edd9ef2fd in ap_mpm_run ()
#19 0x00002b9edd9c9e48 in main ()
(gdb) bt full
#0  0x00002b9edd9e1a10 in ap_log_rerror ()
No symbol table info available.
#1  0x00002b9ee5ff9200 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#2  0x00002b9ee6000d3f in jk_log () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#3  0x00002b9ee60075f9 in map_uri_to_worker () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#4  0x00002b9ee5ff8734 in jk_tcp_socket_recvfull () from /usr/lib64/httpd/modules/mod_jk.so
No symbol table info available.
#5  0x00002b9edd9d7c22 in ap_run_map_to_storage ()
No symbol table info available.
#6  0x00002b9edd9d8d8c in ap_process_request_internal ()
No symbol table info available.
#7  0x00002b9edd9d9110 in ap_sub_req_lookup_file ()
No symbol table info available.
#8  0x00002b9ee31792c2 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#9  0x00002b9ee31755e8 in ap_log_rerror () from /etc/httpd/modules/mod_include.so
No symbol table info available.
#10 0x00002b9edd9d55dd in ?? ()
No symbol table info available.
#11 0x00002b9edd9dca0a in ap_run_handler ()
No symbol table info available.
#12 0x00002b9edd9dfe98 in ap_invoke_handler ()
No symbol table info available.
#13 0x00002b9edd9ea958 in ap_process_request ()
No symbol table info available.
#14 0x00002b9edd9e7b90 in ?? ()
No symbol table info available.
#15 0x00002b9edd9e3cb2 in ap_run_process_connection ()
No symbol table info available.
#16 0x00002b9edd9ee809 in ?? ()
No symbol table info available.
#17 0x00002b9edd9eea9a in ?? ()
No symbol table info available.
#18 0x00002b9edd9ef2fd in ap_mpm_run ()
No symbol table info available.
#19 0x00002b9edd9c9e48 in main ()
No symbol table info available.

If I disable ruid2 then everything works again.

[ikkk]

I would not use the "stat" mode to be perfectly honest.

You just want to use this where you would have used mod_fcgid. All we do is modify a single file

]# cat /etc/httpd/conf.d/ruid2.conf
LoadModule ruid2_module modules/mod_ruid2.so

<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid apache apache
RUidGid apache apache
RGroups apache psaserv psacln
</IfModule>

<Directory /var/www/vhosts/abc.com/httpdocs>
RMode config
RUidGid abc psacln
</Directory>

<Directory /var/www/vhosts/xyz.com/httpdocs>
RMode config
RUidGid xyz psacln
</Directory>
...
...
Repeat for httpsdocs / subdomains as necessary, then its all in one single place, and you are only activating it where you need to, this way you are not messing with the permissions that things like mod_fcgi/mod_jk assume are in place.


Also if you get issues with mod_security and logging we have found this works:

echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf

Then restart apache, as it will create the directories so that any user can write to it, it sorts out issues there.

[hostingguy]

Hi,

Thanks for your reply - the reason we are using stat to test this out is that we want to automatically have this happen for people when they create or modify a domains php settings, create or modify virtual hosting for a domain or subdomain, etc.

It can become kind of a pain to manage and automatically maintain a bunch of config files for each domain and sub domain.

it was my hope that this ruid2 would only really apply when some one was using php as an apache module - and exclude anything else. Unfortunately it doesnt really appear to do that which is more of a problem with my expectations and hopes than your product.

However with that said, if I run those commands you mentioned

Code: Select all

echo "umask 0" >> /etc/sysconfig/httpd
echo "SecAuditLogDirMode 0777" > /etc/httpd/conf.d/01_mod_security_changes.conf

it does seem to fix the issue with mod_jk and php as fcgi as it no longer throws a seg fault and is able to load the pages again, although it may be too early to conclude that its a solid 100% fix, but so far so good.

[paulie]

Hi ikkk,

How have you found mod_ruid2's performance to be? It sounds like you're using it instead of php fastcgi? Is there a noticeable capacity difference for the server?

Paul.

[hostingguy]

So I guess I take some of that back - even with those changes I still see some mod_sec errors

Code: Select all

[Wed Apr 13 12:14:53 2011] [error] [client 95.108.150.235] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110413/20110413-1214 (Permission denied) [hostname "domain.com"] [uri "/error/noindex.html"] [unique_id "n5Z2PAoHRiwAAGNubPUAAAAD"]

[mikeshinn]

So I guess mod_ruid is changing the ID that far up in the stack? What order are you loading modules in? Does modsec come before mod_ruid2?

If so, then this may be something mod_ruid2 "undoes". Perhaps a tweak to its code is in order?