How to install mod_ruid2 on cpanel server?

[ikillbill]

Hi

I have found that mod_ruid2 seems our best solution to have both performance +security at the same, could anyone share how to install it on cpanel without issues?

If in the future when we recompile apache from easyaapche, shall we also install mod_ruid2 manually again?

thanks!

 

[cPanelTristan]

This module is installed like any other Apache module that can be dynamically installed. Such as how I've explained on two recent threads for other Apache modules:

http://forums.cpanel.net/f5/mod_auth_external-227902.html
http://forums.cpanel.net/f185/how-set-mod_sed-cpanel-227452.html

The only difference for this module is that libcap-devel is required and has to be installed via yum first if you don't already have it:

yum -y install libcap-devel

The rest is just like those other threads but using the requisite module name and location:

cd /root
wget http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.4.tar.bz2
tar xvfj mod_ruid2-0.9.4.tar.bz2
cd mod_ruid2-0.9.4
apxs -a -i -l cap -c mod_ruid2.c

After doing the above, it will then put a "LoadModule" into /usr/local/apache/conf/httpd.conf file:

LoadModule ruid2_module modules/mod_ruid2.so

The module can cause conflicts during EasyApache build, so I would suggest moving it and distilling the include. First, remove the "LoadModule" line mentioned above from /usr/local/apache/conf/httpd.conf, then run these commands:

echo "LoadModule ruid2_module modules/mod_ruid2.so" >> /usr/local/apache/conf/includes/pre_main_global.conf
cp /usr/local/apache/conf/httpd/conf /usr/local/apache/conf/httpd.conf.bak110826
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

Now, copy the mod_ruid2.so file to /root to save a copy of it, since future /scripts/easyapache recompiles will move the file out of /usr/local/apache/modules folder:

cp /usr/local/apache/modules/mod_ruid2.so /root

Now, before you run /scripts/easyapache in the future, create these files:

vi /scripts/preeasyapache

Place the following content into the file:

#!/bin/bash

sed -i 's/LoadModule ruid2_module/#LoadModule ruid2_module/g' /usr/local/apache/conf/includes/pre_main_global.conf

Next, create this file:

vi /scripts/posteasyapache

Place the following content into the file:

#!/bin/bash

cp /root/mod_ruid2.so /usr/local/apache/modules/
sed -i 's/#LoadModule ruid2_module/LoadModule ruid2_module/g' /usr/local/apache/conf/includes/pre_main_global.conf
/etc/init.d/httpd restart

The first script comments out the LoadModule in /usr/local/apache/conf/includes/pre_main_global.conf at the beginning of the Apache build. The second script copies mod_ruid2.so back into /usr/local/apache/modules folder, uncomments the LoadModule, and restarts Apache at the end of the build.

After saving these files, ensure they can execute:

chmod +x /scripts/preeasyapache
chmod +x /scripts/posteasyapache

For this question:

If in the future when we recompile apache from easyaapche, shall we also install mod_ruid2 manually again?

If you use the steps I've indicated above, you won't have to manually recompile mod_ruid2 again.

 

[ikillbill]

huge thanks for this!

do we need to edit httpd 's template like DA did?

[HOWTO] mod_ruid2 - DirectAdmin Forums

 

[cPanelTristan]

Hello ikillbill,

Are you asking if you need to do it or how to do it? If you want to add directives for the module, you'd have to either put includes for each account or edit the template to include them. As such, yes, you would have to add entries for it to work to use those directives. If you want to know how to do it specifically, please indicate if you want it to be part of the default template or per individual user as includes instead, since the instructions will differ.

Thanks!

 

[ikillbill]

hello,

rephrasnig..

1.
we want after install this mod, when we create cpanel accounts from WHM, "all" accounts will have that mod "enabled" automatically , so we do "have to" to those templates ?


2.
on that DA link, it says
"To be sure the webmail clients etc still works we need to change the owner permissions"

Do we need to do similar thing for cpanel 's webmail work as usual?

thanks again indeed

 

[ikillbill]

Tristan , could you please check ?

thanks

 

[Nick]

thanks for your article
just a small comment
don't forgot to change ruid2.conf before you run apxs
change last few lines to
<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid nobody nobody
RUidGid nobody nobody
RGroups nobody
</IfModule>
otherwise your redirections domain.com/whm domain.com/cpanel wont wokr because the user mismatch

 

[Nick]

I meant /usr/local/apache/conf/includes/pre_main_global.conf
it should be like
LoadModule ruid2_module modules/mod_ruid2.so
<IfModule mod_ruid2.c>
RMode config
RDefaultUidGid nobody nobody
RUidGid nobody nobody
RGroups nobody
</IfModule>

 

[Nick]

also create the vhost templates vhost.local and ssl_vhost.local
To create custom template files that affect all virtual hosts:
Create a copy of one or more of the following files:
Apache 1 without SSL — /var/cpanel/templates/apache1/vhost.default
Apache 2 without SSL — /var/cpanel/templates/apache2/vhost.default
Apache 1 with SSL — /var/cpanel/templates/apache1/ssl_vhost.default
Apache 2 with SSL — /var/cpanel/templates/apache2/ssl_vhost.default
Rename the copied file to one of the following:
vhost.local — use this if you copied vhost.default.
ssl_vhost.local — use this if you copied ssl_vhost.default.
Edit the *.local files to make the changes you would like to your virtual host configuration.

I have added necessary strings after Suexec configuration
<IfModule !mod_disable_suexec.c>
SuexecUserGroup [% vhost.user %] [% vhost.group %]
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid [% vhost.user %] [% vhost.group %]
RGroups nobody
</IfModule>

 

[cPanelDavidG]

Just a head's up, you can track the progress of our official implementation of mod_ruid2 at: http://forums.cpanel.net/f145/case-52294-support-mod_ruid2-229432.html