Atomicorp

We're having issues with PHP via FastCGI eating up too much memory. I found some threads regarding using mod_ruid2 instead but most of these posts are older.

I'm looking for feedback on mod_ruid2 - who's using it and is it working well for you? Any pitfalls you've discovered using it? I'm running CentOS 5 and Plesk 9.5.4


Thanks in advance,

Rob

There's an entire support thread on the parallels forum for the "commercial" plesk add-in that supports mod_ruid2 via the control panel. Lots of people seem to be using it, and it gets regularly updated as far as I can see.

I've not tested it myself. I'm somewhat concerened about plesk updates and upgrades breaking it, although this doesn't seem to have happened so far.

I'm using it and it's working like a charm. One problem though. You don't get correct reporting of errors from ASL into the db. As far as I understand this is because the process runs as the account user and cannot access the asl path to insert the source of the errors. You see the error in the local log file for this account, but it isnät presented in the ASL web gui.

Thats interesting to know! I'd not have expected that (the asl problem, not the fact that it works like a charm!). Hmm...

You know...I'd like to see an Atomic mod_ruid2 "Plesk plug in" ... I'd probably go with that. But at the same time I would not like to see the guy who has put a lot of effort into his version (which is excellent value for money - I did purchase it but never installed), being undermined. Maybe there's a way to get around this -- for the atomic version to have something different that the masses might not want? Or to be difficult to install or something

its definitely a superior solution to fcgi, just has some sorting out to do with integration w/ other modules. Id also add that I would never ever run mod_ruid2 (and the author recommends the same thing) without a kernel like ASL uses.

scott wrote: Id also add that I would never ever run mod_ruid2 (and the author recommends the same thing) without a kernel like ASL uses.

I'm curious to know why. Is it explainable in English or is it too technical? What's so different compared to the normal apache module or fcgi?

Another thing I don't like about the addon is that its grabbing your license from your Plesk installation.
If it can't read out the license it won't run. There is absolutely no need for this addon to fetch datas like these to run.
From my point of view thats going to the direction of "steaking" infos.
and it's not mentioned anywhere. Since it's protected with ZEND or another framework you never know what else it does.

Regarding the problem with ASL log.
Is it maybe solution to log into multiple files simultaneously and set that globally and let it merge with a process?

apache normally starts up as root, then drops its privileges to an untrusted user (apache). mod_ruid2 modifies this to not drop its privileges, and continues to operate as root. If there were a flaw in mod_ruid2, apache, or any module or library loaded by apache (openssl, php, perl, python, ruby, etc) then they would effectively be running in a root context.

thanks Scott,

what if we set mod_ruid2 to run in the context of the user of the vhost to avoid problems like file creation, etc. (like in Joomla).
Does it run as root than as well and just "fakes" to be the vhosts ftp user?
and if it would be hacked in that case would it be root than too?
and of course the question/statement again:
since we run ASL we are safe in running mod_ruid2?!
and besides all that you would still recommend it instead of fcgi?!

thanks

Does it run as root than as well and just "fakes" to be the vhosts ftp user?

yes

and if it would be hacked in that case would it be root than too?

yes

since we run ASL we are safe in running mod_ruid2?!

If you're using the ASL kernel, then the kernel security controls would compensate for that from multiple vectors. (Stack protection, process restriction, TPE, etc).

and besides all that you would still recommend it instead of fcgi?!

Yes, if you're in the ASL kernel theres nothing to worry about.

perfect. thanks a lot.

Scott: Is there any way at al to get the logging in ASL working with mod_ruid2 enabled?

I dont know

Scott is there anything we can do to support you in finding a solution for that?
Or is it basically a permission problem that you would have to find a secure solution for?

It needs R&D time, maybe their is a userspace solution, or maybe this is something that has to be modified in either the mod_ruid2 or mod_security DSO code.