[atomic] mod_ruid2 0.9.1-1

Atomic repository announcements, new release notifications and other news regarding the atomic yum repository.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

[atomic] mod_ruid2 0.9.1-1

Unread post by scott »

This is the initial import of mod_ruid2 to the atomic repo. Similar to the capabilities of ITK, but in DSO form. Potentially a lethal combo if we combine this with mod_hostinglimits, mod_security, and grsecurity. :P

Description:

With this module, all httpd process run under user's access right, not nobody or apache.
mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it
doesn`t need to kill httpd children after one request. It makes use of kernel capabilites
and after receiving a new request suids again. If you want to run apache modules, i.e.
WebDAV, PHP, and so on under user's right, this module is useful.



To Install:

yum iinstall mod_ruid2
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

Thanks Scott. Sounds interesting. Compared to mod_fcgid it's supposed to be faster and less memory consuming.
And finally I could get rid of the Plesk dependant old fcgid versions.
Are there other benefits except DSO which is great?
What about PHP Opt Caches? How does it work with them?

I have found a useful addition for Plesk environments.
http://forum.parallels.com/showthread.php?t=106297

I bet ASL is not vulnerable to the security issue which is mentioned in the readme.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

Great questions, the opcache one especially. Right now, I don't know since I havent tested that yet.

My thoughts are to modify the code to use the same SuexecUserGroup setting from httpd.include to make this completely automatic. This would enable it globally across all domains without requiring any config changes. Of course this would also mean that you couldn't disable it per domain. I'd love to hear everyones feedback on that idea.

If indeed the opcache does require special settings per vhost then the above idea probably wouldn't be as important.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by biggles »

I'd love if it would be automatic for all domains.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

I'm not sure. What if some vhost needs to be run as cgi for some reason? I don't know if this case can happen at all? If not, great.
If so, then this would not be the best solution. More flexibility is always good.
Besides that there are the opcache questions.

On the other hand it's nice, easy and secure.
What about vhost custom php settings? Are all settings possible or are there also limitations like in fcgid?

I would really like to replace mod_fcgid, if mod_ruid2 handles opcaches in a good manner and I can set all php settings vhost based.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

Doesnt look like changes are necessary, if you use just this setting in your config:
RMode stat

All code will be invoked as the directory/script owner. Directory ownership appears to take preference over script ownership. Note you can also force the setting with:
RMode config

followed by the UID and GID you want the script to run on. This can further be refined to specify the UID on a per directory or even per script basis.

On eaccelerator, yes it will work. I just had to make /var/cache/php-eaccelerator 0755. The files it creates are only readable/writable by the domain user:
887357 8 -rw------- 1 testguy psacln 4324 May 15 14:19 /var/cache/php-eaccelerator/0/0/eaccelerator-001cd07b4307e30ca437d6111c8a014b
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

Thanks. But how do you tell the plesk vhosts to use mod_ruid2 and override e.g. the Plesk setting FastCGI/CGI or Apache?
via vhost.conf? And how do I set all php settings in that case? With Fcgid I cant set "php_value memory_limit 64M" in vhost.conf. It just gets ignored like some other settings too.
That's why I used a wrapper file and vhost based php.ini files.
Would there be such limitation as well?

"RMode stat" is the default configuration so you don't need to catch SuexecUserGroup?

Great that it runs with eaccelerator.
And thanks for the this new tool that is seems to be the best replacement for mod_fcgid.
ASL is not vulnerable to the security issue which is mentioned in the readme, right?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

You dont need to tell plesk anything in order to use it, all you need to do is install it and play around with the RMode settings. If you set RMode config in ruid2.conf then its going to be global. I set it in a specific vhost.conf on my tests, the next test will be with its chroot capabilities.

For per-vhost settings of php the same vhost.conf rules apply that always have. php_admin_value, open_basedir, etc.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

HI Scott,

it seems I'm too stupid to get mod_ruid2 running. I have installed mod_ruid2.
It installed fine and apache logs show that it's enabled.

1. /etc/httpd/conf.d/ruid2.conf is emtpy like you said

2. DomainX.tld is set to "run as apache module" under Plesk (even if it's not necessary)

3. Created vhost.conf for DomainX.tld and ran
/usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=DomainX.tld
It gets included fine in httpd.conf

4.Now I have set this into the vhost.conf

Code: Select all

<Directory /var/www/vhosts/DomainX.tld/httpdocs>
	RMode config
	RUidGid domainuser psacln
	RGroups apache psaserv
</Directory>
But I don't see any httpd processes running with that user, or shouldnt there be any?
I get permission errors like this one: ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20101219/20101219-0944 (Permission denied) [hostname "www.DomainX.tld"] [uri "/error_docs/forbidden.html"] [unique_id "ap7u2tTj-O4AACwni50AAAAE"]. The files are not created.
And of course the site does not load (Joomla-1.5).

What do I have to do?
Thanks a lot
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

It wont run as the user in an identifiable process, but it will invoke as that user. The latter message proves it, since that UID cant write to the audit directory.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

Thanks. Yes it proves that it's running in some sort of a way.
Still I can't get it going. I spent the hole day to understand it, but nothing works correctly.
mod_ruid2 looks so promising...it seems simple...but I can verfiy the correct running and its not doing the job it should.

I would really appreciate if you could post the exact config you set in ruid2.conf and vhost.conf for a domain that is running Joomla under Plesk 9.5.
In my vhosts httpdocs all directories are set to domainuser:psacln 0755, all files are set to domainuser:pscaln 0644.
BUT...nothing is writeable for Joomla. Only if I set everything to 0777.

Do you got it running with Joomla with writeable files and dirs under Plesk? If so, I would really appreciate the correct settings.

Thanks a lot.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

No I never tried joomla. Just a simple php app that touched a file to check the ownership.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

HI Scott,

I got one step further. I don't know exactly why this happens but I bet you do. Here is the story ;)

I installed mod_ruid2 via yum from atomic repo. mod_ruid2 did not work as expected. Files and diretories where not writable by Joomla e.g.

I installed mod_ruid2 source from atomic and wanted to compile again on my testserver.
And there the fun began :)
I had to "patch" the file /usr/include/sys/capability.h
with this patch http://kyle.fedorapeople.org/libcap-san ... space.diff
found at: https://bugzilla.redhat.com/show_bug.cgi?id=483548
After that I could compile from atomic source, but mod_ruid2 still did not work correctly with the same error.

So I did a manual installation by getting the source from sourceforge. This also only worked with the patched capability.h file.
Untar it and than ran:

Code: Select all

apxs -a -i -l cap -c mod_ruid2.c 
After that I added this in httpd.conf

Code: Select all

<IfModule mod_ruid2.c>
  RMode config
  RUidGid apache apache
  RGroups apache psaserv
  RMinUidGid apache apache
</IfModule> 
and added this in vhost.conf

Code: Select all

<IfModule mod_ruid2.c>
    RMode config
    RUidGid domain-ftp-user psacln
    RGroups psacln
</IfModule>	
And now it's working. Only the manual installation leads to a phpinfo with loaded module mod_ruid2.
So the difference the module is loaded maybe?
And I'm not sure what the patch is causing/braking besides it's working now (that's going to deep for me :) explanation welcome - like to learn).
On my test I use ASL latest kernel, kernel-firmware and kernel-headers.
Maybe you can spread some light why it's only working that way. Best would be to get the changes into a new rpm.
Thanks a lot.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by scott »

This might just be a 64-bit issue in that case. I'm loath to maintain an update to libcap for this (although it doesnt look like it changes often), but if thats what it takes thats what it takes.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] mod_ruid2 0.9.1-1

Unread post by BruceLee »

Can the capability.h be changed back after compiling or does it have to stay "patched" for correct working?
Of course for correct working of others things as well?

Thanks
Post Reply