The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APC with mod_ruid2 a security risk?

Discussion in 'Security' started by alexp999, Jan 23, 2012.

  1. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm currently trying out the EDGE builds, so I can give mod_ruid2 a go.

    I'm loving it so far, but I have one reservation, I have noticed that due to the way mod_ruid2 works, APC is kept across different users.

    Now to an extent this is what we want so that stuff remains in the cache, however, does this open up a security hole?

    Can each user mess with anothers APC cache? Is there another opcode cache accelerator that is more secure if thats the case, or will they all have the same problem?

    Basically if User X's script puts some stuff in the cache, can User Y then read it and/or change it?
     
    #1 alexp999, Jan 23, 2012
    Last edited: Jan 23, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Since APC is not default provided by cPanel, it's far more difficult for most of us to have experience using it. EAccelerator and xCache are the more commonly used OPCode caching under cPanel, since both are available in EasyApache.

    For your questions, can you show the details on where APC keeps its cache files? Are they in /tmp location? What is the ownership on those files? Any applicable settings you have in regards to APC would also be helpful, since this isn't a familiar setup.
     
  3. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    APC stores its cache in the memory, like most other opcode caches afaik.

    I'm happy to use a different opcode cache, but due to the way mod_ruid2 works, surely the cache is kept across different users?
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    EAccelerator stores files in /tmp, which was our default OPCode caching for most of the lifetime of EasyApache.

    If you don't have more details on how APC is exactly storing files, I will have to go with troubleshooting the ones we support to see how they work with mod_ruid2 instead. I can happily check into it by adding the supported caching options (EAccelerator and xCache) to see the results for those. I'll get back to you tonight when I restart my next shift with any details I have on our supported options.
     
  5. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    APC stores its cache in shared memory.

    From what I have read online, even Xcache and Eaccelerator do that, unless the EasyApache versions are modified to only allow local caching?
     
  6. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    I've heard that the current version of eAccelerator doesn't actually store user objects...only the compiled scripts. Is that true?
     
  7. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How did you get on Tristan?
     
  8. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    bump

    10chars
     
  9. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    APC can store on file or in memory see setting apc.mmap_file_mask
     
  10. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I tried this, but you can still access the shared APC across multiple accounts.

    We need a way of controlling it per vhost, or user or something. I cant see that xcache or eaccelerator can be set up any better?
     
  11. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    how are you testing / confirming this ?
     
  12. alexp999

    alexp999 Member

    Joined:
    Jan 23, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I use the apc.php diagnostic file into two different accounts and can see entries from both accounts.
     
  13. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Was it ever concluded whether this is a security risk?
     
Loading...

Share This Page