Re: [atomic] mod_ruid2 0.9.1-1
Posted: Thu Jan 13, 2011 8:44 am
Looks that way. Thanks a lot for the tip!
mind04 wrote:Thank you for the detailed report.
Please try http://mod-ruid.svn.sourceforge.net/vie ... evision=22
If this revision solve your problems it is time for version 0.9.4
No it's an exception for another problem I resolved two days ago with Helix Development. Plesk-Stats doesn'T run well with mod_ruid2 because of default Plesk permission.mind04 wrote:It looks like the <Location> lines are the source of your new problem... Is it working without them?
Code: Select all
<IfModule mod_ruid2.c>
RMode config
RUidGid vhost_u vhost_g
RGroups g1 g2 g3
<Location /plesk-stat>
RUidGid apache apache
</Location>
</IfModule>
I see some others using different values, and though I read a post somewhere that using apache apache is no good - but that aside - how does this set users to use their own ftp account to run the site?LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid apache apache
RUidGid apache apache
RGroups apache
</IfModule>
Code: Select all
<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
</IfModule>
Code: Select all
<IfModule mod_ruid2.c>
RMode config
RUidGid domain-ftp-user psacln
RGroups psacln
</IfModule>
Code: Select all
1 ABOUT
2 mod_ruid2 is a suexec module for apache 2.0, based on mod_ruid and mod_suid2
3
4 -it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
5 -it has better performance than mod_suid2 because it doesn`t need to kill httpd children
6 after one request. it makes use of kernel capabilites and after receiving a new request suids again.
7 -there are some security issues, for instance if attacker successfully exploits the httpd process,
8 he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
9 or something..
10
11 -there are two main operation modes: stat and config
12 1. stat
13 is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory
14 this is good if you use mod_vhost_alias for virtual hosting
15
16 2. config
17 like mod_suid2, you must define uid and gid
18
19 INSTALL
20 1. download and install latest libcap from here
21 2. run /apachedir/bin/apxs -a -i -l cap -c mod_ruid2.c
22 3. configure httpd.conf
23 4. restart apache
24
25 CONFIGURE OPTIONS:
26 RMode config|stat (default is stat)
27 RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid
28
29 RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid
30 RDefaultUidGid user|#uid group|#gid
31
32 RGroups group1 group2 - aditional groups set via setgroups
33
34 RDocumentChrRoot - Set chroot directory and the document root inside
35
36
37 EXAMPLE:
38
39 LoadModule ruid2_module modules/mod_ruid2.so
40 User apache
41 Group apache
42 RMode stat
43 RGroups apachetmp
44 RDocumentChRoot /home /example.com/public_html
45
46 NameVirtualHost 192.168.0.1
47 <VirtualHost example.com>
48 ServerAdmin webmaster@example.com
49 RDocumentChRoot /home /example.com/public_html
50 ServerName example.com
51 ServerAlias www.example.com
52 RMode config
53 RUidGid user1 group1
54 RGroups apachetmp
55
56 <Directory /home/example.com/public_html/dir>
57 RMode stat
58 </Directory>
59
60 <Directory /home/example.com/public_html/dir/test>
61 RMode config
62 RUidGid user2 group2
63 RGroups groups1
64 </Directory>
65
66 <Directory /home/example.com/public_html/dir/test/123>
67 RUidGid user3 group3
68 </Directory>
69
70 <Location /yustadir>
71 RMode config
72 RUidGid user4 user4
73 RGroups groups4
74 </Location>
75
76 </VirtualHost>
77
78 <VirtualHost example.net>
79 ServerAdmin webmaster@example.net
80 DocumentRoot /home/example.net/public_html
81 ServerName example.net
82 ServerAlias www.example.net
83 </VirtualHost>
Otherwise when I add a new domain or try and hit an existing domain with no specially defined vhost.conf directives for ruid2 it got the forbidden error and the mod security errors that others posted as wellLoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode config
RUidGid apache apache
RGroups apache psaserv
RMinUidGid apache apache
RDefaultUidGid apache psaserv
</IfModule>
[Wed Apr 06 12:53:01 2011] [crit] [client 63.229.62.199] (13)Permission denied: /var/www/vhosts/domain.com/httpdocs/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Wed Apr 06 12:53:01 2011] [error] [client 63.229.62.199] ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20110406/20110406-1253 (Permission denied) [hostname "domain.com"] [uri "/index.html"] [unique_id "Vx4atQoHRhsAACmr6HMAAAAB"]
Code: Select all
is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory