mod_ruid2
mod_ruid2
We're having issues with PHP via FastCGI eating up too much memory. I found some threads regarding using mod_ruid2 instead but most of these posts are older.
I'm looking for feedback on mod_ruid2 - who's using it and is it working well for you? Any pitfalls you've discovered using it? I'm running CentOS 5 and Plesk 9.5.4
Thanks in advance,
Rob
I'm looking for feedback on mod_ruid2 - who's using it and is it working well for you? Any pitfalls you've discovered using it? I'm running CentOS 5 and Plesk 9.5.4
Thanks in advance,
Rob
Re: mod_ruid2
There's an entire support thread on the parallels forum for the "commercial" plesk add-in that supports mod_ruid2 via the control panel. Lots of people seem to be using it, and it gets regularly updated as far as I can see.
I've not tested it myself. I'm somewhat concerened about plesk updates and upgrades breaking it, although this doesn't seem to have happened so far.
I've not tested it myself. I'm somewhat concerened about plesk updates and upgrades breaking it, although this doesn't seem to have happened so far.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: mod_ruid2
I'm using it and it's working like a charm. One problem though. You don't get correct reporting of errors from ASL into the db. As far as I understand this is because the process runs as the account user and cannot access the asl path to insert the source of the errors. You see the error in the local log file for this account, but it isnät presented in the ASL web gui.
Re: mod_ruid2
Thats interesting to know! I'd not have expected that (the asl problem, not the fact that it works like a charm!). Hmm...
You know...I'd like to see an Atomic mod_ruid2 "Plesk plug in" ... I'd probably go with that. But at the same time I would not like to see the guy who has put a lot of effort into his version (which is excellent value for money - I did purchase it but never installed), being undermined. Maybe there's a way to get around this -- for the atomic version to have something different that the masses might not want? Or to be difficult to install or something
You know...I'd like to see an Atomic mod_ruid2 "Plesk plug in" ... I'd probably go with that. But at the same time I would not like to see the guy who has put a lot of effort into his version (which is excellent value for money - I did purchase it but never installed), being undermined. Maybe there's a way to get around this -- for the atomic version to have something different that the masses might not want? Or to be difficult to install or something
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: mod_ruid2
its definitely a superior solution to fcgi, just has some sorting out to do with integration w/ other modules. Id also add that I would never ever run mod_ruid2 (and the author recommends the same thing) without a kernel like ASL uses.
Re: mod_ruid2
I'm curious to know why. Is it explainable in English or is it too technical? What's so different compared to the normal apache module or fcgi?scott wrote: Id also add that I would never ever run mod_ruid2 (and the author recommends the same thing) without a kernel like ASL uses.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: mod_ruid2
Another thing I don't like about the addon is that its grabbing your license from your Plesk installation.
If it can't read out the license it won't run. There is absolutely no need for this addon to fetch datas like these to run.
From my point of view thats going to the direction of "steaking" infos.
and it's not mentioned anywhere. Since it's protected with ZEND or another framework you never know what else it does.
Regarding the problem with ASL log.
Is it maybe solution to log into multiple files simultaneously and set that globally and let it merge with a process?
If it can't read out the license it won't run. There is absolutely no need for this addon to fetch datas like these to run.
From my point of view thats going to the direction of "steaking" infos.
and it's not mentioned anywhere. Since it's protected with ZEND or another framework you never know what else it does.
Regarding the problem with ASL log.
Is it maybe solution to log into multiple files simultaneously and set that globally and let it merge with a process?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: mod_ruid2
apache normally starts up as root, then drops its privileges to an untrusted user (apache). mod_ruid2 modifies this to not drop its privileges, and continues to operate as root. If there were a flaw in mod_ruid2, apache, or any module or library loaded by apache (openssl, php, perl, python, ruby, etc) then they would effectively be running in a root context.
Re: mod_ruid2
thanks Scott,
what if we set mod_ruid2 to run in the context of the user of the vhost to avoid problems like file creation, etc. (like in Joomla).
Does it run as root than as well and just "fakes" to be the vhosts ftp user?
and if it would be hacked in that case would it be root than too?
and of course the question/statement again:
since we run ASL we are safe in running mod_ruid2?!
and besides all that you would still recommend it instead of fcgi?!
thanks
what if we set mod_ruid2 to run in the context of the user of the vhost to avoid problems like file creation, etc. (like in Joomla).
Does it run as root than as well and just "fakes" to be the vhosts ftp user?
and if it would be hacked in that case would it be root than too?
and of course the question/statement again:
since we run ASL we are safe in running mod_ruid2?!
and besides all that you would still recommend it instead of fcgi?!
thanks
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: mod_ruid2
yesDoes it run as root than as well and just "fakes" to be the vhosts ftp user?
yesand if it would be hacked in that case would it be root than too?
If you're using the ASL kernel, then the kernel security controls would compensate for that from multiple vectors. (Stack protection, process restriction, TPE, etc).since we run ASL we are safe in running mod_ruid2?!
Yes, if you're in the ASL kernel theres nothing to worry about.and besides all that you would still recommend it instead of fcgi?!
Re: mod_ruid2
perfect. thanks a lot.
Re: mod_ruid2
Scott: Is there any way at al to get the logging in ASL working with mod_ruid2 enabled?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: mod_ruid2
I dont know
Re: mod_ruid2
Scott is there anything we can do to support you in finding a solution for that?
Or is it basically a permission problem that you would have to find a secure solution for?
Or is it basically a permission problem that you would have to find a secure solution for?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: mod_ruid2
It needs R&D time, maybe their is a userspace solution, or maybe this is something that has to be modified in either the mod_ruid2 or mod_security DSO code.