[atomic] mod_ruid2 0.9.1-1

[biggles]

Looks that way. Thanks a lot for the tip!

[scott]

Good investigation work, I wonder if zend had anything to do with some of the other random segfaults people have reported here. At any rate, its a dead project anyway.

[remsad]

I'm running mod_ruid2-0.9.3-1.el5.art and mod_security-2.5.13-1.el5.art

I have a problem with session files for delete.

When I upload a file within the website with Mod_security and Mod_ruid2, the website can'T delete the temp file

Error log:

[Sun Feb 20 11:59:33 2011] [error] [client IP] ModSecurity: Input filter: Failed to delete temporary file: /tmp/20110220-115821-p5CVjH8AAAEAAEdeCbIAAAAB-request_body-bzTzVB [hostname "www.COMAIN"] [uri "/bt/admin/index.php"] [unique_id "p5CVjH8AAAEAAEdeCbIAAAAB"]


If I disable Mod_security, I don't have this error anymore.

My /tmp folder is growing very fast because PHp can't delete the tmp file.

How can I fix that ?


more /etc/httpd/conf.d/ruid2.conf

LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
#RGroups apache psaserv psasb
RMinUidGid apache apache
</IfModule>


more conf/vhost.conf
Include /var/www/vhosts/DOMAIN.COM/conf/asuser.conf

more conf/asuser.conf
<IfModule itk.c>
AssignUserId ladecoupe psacln
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid ladecoupe psacln
RGroups psacln
</IfModule>


ls -al /tmp/20110220-115821-p5CVjH8AAAEAAEdeCbIAAAAB-request_body-bzTzVB
-rw-r----- 1 ladecoupe psacln 3686026 Feb 20 11:59 /tmp/20110220-115821-p5CVjH8AAAEAAEdeCbIAAAAB-request_body-bzTzVB




It seems that ModSecurity doesn't run as mod_ruid2

[mind04]

Thank you for the detailed report.

Please try http://mod-ruid.svn.sourceforge.net/vie ... evision=22

If this revision solve your problems it is time for version 0.9.4

[remsad]

I've tried 0.9.4 and the main function of mod_ruid2 doesn't work anymore.

************************
Tests results with 0.9.3
************************
[Tue Feb 22 00:00:09 2011] [notice] mod_ruid2/0.9.3 enabled
[Tue Feb 22 00:00:09 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations



*** more /etc/httpd/conf.d/ruid2.conf

LoadModule ruid2_module modules/mod_ruid2.so

<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
#RGroups apache psaserv psasb
RMinUidGid apache apache
</IfModule>



*** more /var/www/vhosts/ladecoupe/conf/vhost.conf

Include /var/www/vhosts/ladecoupe/conf/asuser.conf



*** more /var/www/vhosts/ladecoupe/conf/asuser.conf

<IfModule itk.c>
AssignUserId ladecoupe psacln
</IfModule>
<IfModule mod_ruid2.c>
<Location ~ ^(?!/plesk-stat/)>
RMode config
RUidGid ladecoupe psacln
RGroups psacln
</Location>
</IfModule>


*** ls -al /var/www/vhosts/ladecoupe.ca/httpdocs/bt/system/cache

drwxrwxrwx 2 ladecoupe psacln 12288 Feb 21 17:27 .
drwxr-xr-x 9 ladecoupe psacln 4096 Dec 19 13:44 ..
-rw-r--r-- 1 ladecoupe psacln 1201 Feb 21 17:27 cache.category.0.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.39.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.40.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.41.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.43.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.44.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.45.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.47.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.48.2.0.1298330855
-rw-r--r-- 1 ladecoupe psacln 6 Feb 21 17:27 cache.category.49.2.0.1298330855




************************
Tests results with 0.9.4
************************
[Tue Feb 22 08:47:17 2011] [notice] mod_ruid2/0.9.4 enabled
[Tue Feb 22 08:47:17 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations


*** more /etc/httpd/conf.d/ruid2.conf

LoadModule ruid2_module modules/mod_ruid2.so

<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
#RGroups apache psaserv psasb
RMinUidGid apache apache
</IfModule>



*** more /var/www/vhosts/ladecoupe/conf/vhost.conf

Include /var/www/vhosts/ladecoupe/conf/asuser.conf



*** more /var/www/vhosts/ladecoupe/conf/asuser.conf

<IfModule itk.c>
AssignUserId ladecoupe psacln
</IfModule>
<IfModule mod_ruid2.c>
<Location ~ ^(?!/plesk-stat/)>
RMode config
RUidGid ladecoupe psacln
RGroups psacln
</Location>
</IfModule>


*** ls -al /var/www/vhosts/ladecoupe.ca/httpdocs/bt/system/cache
total 244
drwxrwxrwx 2 ladecoupe psacln 12288 Feb 22 08:48 .
drwxr-xr-x 9 ladecoupe psacln 4096 Dec 19 13:44 ..
-rw-r--r-- 1 apache apache 1201 Feb 22 08:48 cache.category.0.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.39.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.40.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.41.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.43.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.44.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.45.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.47.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.48.2.0.1298386092
-rw-r--r-- 1 apache apache 6 Feb 22 08:48 cache.category.49.2.0.1298386092

Thank you for the detailed report.

Please try http://mod-ruid.svn.sourceforge.net/vie ... evision=22

If this revision solve your problems it is time for version 0.9.4

[mind04]

It looks like the <Location> lines are the source of your new problem... Is it working without them?

[remsad]

It looks like the <Location> lines are the source of your new problem... Is it working without them?

No it's an exception for another problem I resolved two days ago with Helix Development. Plesk-Stats doesn'T run well with mod_ruid2 because of default Plesk permission.

For my tests with 0.9.4, I didnT' change any configuration for mod_ruid2, only the update of mod_ruid2

[mind04]

In that case there are two options:

1. your build of mod_ruid2 is broken (new revision http://mod-ruid.svn.sourceforge.net/vie ... evision=24)
2. you did change some file permissions. With the config as mentioned above all files must be readable by apache and the virtual host user...

Check your permissions, or better change your config....

Code: Select all

<IfModule mod_ruid2.c>
  RMode config
  RUidGid vhost_u vhost_g
  RGroups g1 g2 g3
  <Location /plesk-stat>
     RUidGid apache apache
  </Location>
</IfModule>

[lvalics]

Is there a way to use your own php.ini with mod_ruid?

[hostingguy]

I must not understand this fully:
I installed the package from atomic repo through yum.

It installed the default conf file /etc/httpd/conf.d/ruid2.conf with the following contents

LoadModule ruid2_module modules/mod_ruid2.so

<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid apache apache
RUidGid apache apache
RGroups apache
</IfModule>

I see some others using different values, and though I read a post somewhere that using apache apache is no good - but that aside - how does this set users to use their own ftp account to run the site?

Did this also install some kind of utility or override that detects and or sets this value per vhost?
I apologize for being a little slow here, but any assistance would be appreciated.

[BruceLee]

it runs with the credentials you provide if you configure it in "RMode config"
or with the credentials that are set on the directories itself in "RMode stat".

I prefer config mode and I would set it like that.

httpd.conf

Code: Select all

<IfModule mod_ruid2.c>
  RMode config
  RUidGid apache apache
  RGroups apache psaserv
</IfModule> 

and this in vhost.conf
Code:

Code: Select all

<IfModule mod_ruid2.c>
    RMode config
    RUidGid domain-ftp-user psacln
    RGroups psacln
</IfModule>   

Hope that helps. If you read the whole thread it should explain everything

[hostingguy]

Im a little embarassed to say I did read all 4 pages and still had to ask
so if I understand correctly there is no automated process that automatically sets these values on the domains and its still a manual process - or an event handler process for physical hosting created/modified?

[BruceLee]

there is an automatic way. If you set "RMode stat" it should take the uid/guid from ascript/directory:
Maybe hte readme explains it better than me:

Code: Select all

1 	ABOUT
2 	mod_ruid2 is a suexec module for apache 2.0, based on mod_ruid and mod_suid2
3 	
4 	-it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
5 	-it has better performance than mod_suid2 because it doesn`t need to kill httpd children
6 	after one request. it makes use of kernel capabilites and after receiving a new request suids again.
7 	-there are some security issues, for instance if attacker successfully exploits the httpd process,
8 	he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
9 	or something..
10 	
11 	-there are two main operation modes: stat and config
12 	1. stat
13 	is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory
14 	this is good if you use mod_vhost_alias for virtual hosting
15 	
16 	2. config
17 	like mod_suid2, you must define uid and gid
18 	
19 	INSTALL
20 	1. download and install latest libcap from here
21 	2. run /apachedir/bin/apxs -a -i -l cap -c mod_ruid2.c
22 	3. configure httpd.conf
23 	4. restart apache
24 	
25 	CONFIGURE OPTIONS:
26 	RMode config|stat (default is stat)
27 	RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid
28 	
29 	RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid
30 	RDefaultUidGid user|#uid group|#gid
31 	
32 	RGroups group1 group2 - aditional groups set via setgroups
33 	
34 	RDocumentChrRoot - Set chroot directory and the document root inside
35 	
36 	
37 	EXAMPLE:
38 	
39 	LoadModule ruid2_module modules/mod_ruid2.so
40 	User apache
41 	Group apache
42 	RMode stat
43 	RGroups apachetmp
44 	RDocumentChRoot /home /example.com/public_html
45 	
46 	NameVirtualHost 192.168.0.1
47 	<VirtualHost example.com>
48 	ServerAdmin webmaster@example.com
49 	RDocumentChRoot /home /example.com/public_html
50 	ServerName example.com
51 	ServerAlias www.example.com
52 	RMode config
53 	RUidGid user1 group1
54 	RGroups apachetmp
55 	
56 	<Directory /home/example.com/public_html/dir>
57 	RMode stat
58 	</Directory>
59 	
60 	<Directory /home/example.com/public_html/dir/test>
61 	RMode config
62 	RUidGid user2 group2
63 	RGroups groups1
64 	</Directory>
65 	
66 	<Directory /home/example.com/public_html/dir/test/123>
67 	RUidGid user3 group3
68 	</Directory>
69 	
70 	<Location /yustadir>
71 	RMode config
72 	RUidGid user4 user4
73 	RGroups groups4
74 	</Location>
75 	
76 	</VirtualHost>
77 	
78 	<VirtualHost example.net>
79 	ServerAdmin webmaster@example.net
80 	DocumentRoot /home/example.net/public_html
81 	ServerName example.net
82 	ServerAlias www.example.net
83 	</VirtualHost> 

http://mod-ruid.svn.sourceforge.net/vie ... iew=markup

[hostingguy]

Thanks - I did read the readme file before I posted too, I didnt see anything indicating any sort of 'automatic' inclusion or setup for virtual hosts listed in there either.

I think we may also have different ideas of what 'autmatic' is or should be

From what I could tell from your response and the readme (and I could be wrong) is that I would have to manually enter in the newly created domain along with the ftp user into this config file or create a vhost.conf for the domain and enter it in there.

In my world automatic would be if a user creates a new physically hosted domain with an ftp user it would automatically use that user to run his php site using mod_ruid2 no matter what option he chose in plesk (apache/cgi/fcgi) - once he hits the submit button and the site gets provisioned there is nothing needed to be done by anyone for it to work. So far as I can tell the only way to get this to work is to create some sort of event handler firing on the 'physical hosting created' and 'physical hosting updated' events - although I saw some mention of using the skel directory for this but didnt see any guidance on how to do that..

Please excuse me if I am way off on my understanding of how this works.


Also, I found I actually needed to set up my conf file like this:

LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
RMinUidGid apache apache
RDefaultUidGid apache psaserv
</IfModule>

Otherwise when I add a new domain or try and hit an existing domain with no specially defined vhost.conf directives for ruid2 it got the forbidden error and the mod security errors that others posted as well

[Wed Apr 06 12:53:01 2011] [crit] [client 63.229.62.199] (13)Permission denied: /var/www/vhosts/domain.com/httpdocs/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

[Wed Apr 06 12:53:01 2011] [error] [client 63.229.62.199] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110406/20110406-1253 (Permission denied) [hostname "domain.com"] [uri "/index.html"] [unique_id "Vx4atQoHRhsAACmr6HMAAAAB"]

[BruceLee]

like I said, the "RMode stat" is that kind of automatic. It tkaes the owners of a script/dir whatever and runs it under these cred. "

Code: Select all

is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory 

"
Of couse you get a 500 error. Right now you need to have vhost.conf file or otherwise all your domains run under apache.
But the files are configured/set for each vhost-ftp-user.
That because you run in "RMode config" and have set it like that.

I would not use RMinUidGid.