The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The new mod_ruid2 functionality

Discussion in 'General Discussion' started by webmastergreg, Dec 30, 2011.

  1. webmastergreg

    webmastergreg Member

    Joined:
    Dec 19, 2010
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    just to be really sure...in this case the "Configure PHP and SuExec"

    with mod_ruid2, PHP 5 Handler must be set to: suphp

    is it ok ?
    or another option appear in the list choice ?
    (I'm under CP 11.30.5.3 so that's why I want to know)

    Thanks
     
    #1 webmastergreg, Dec 30, 2011
    Last edited: Dec 30, 2011
  2. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Re: [Case 52294] support mod_ruid2

    Indeed it must be set to suphp , that's how it is for us on EDGE test.
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    Mark, the following post from this thread will answer your question: http://forums.cpanel.net/f145/case-52294-support-mod_ruid2-229432-p2.html#post1035011

    EasyApache does not follow the EDGE, CURRENT, RELEASE paradigm like most of cPanel&WHM. However, some features of EasyApache do rely on specific versions of cPanel&WHM and other environmental factors at times.
     
  4. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Re: [Case 52294] support mod_ruid2

    I'm confused...isn't the point of mod_ruid2 to serve as an alternative to the slow suphp? If you set the handler to suphp, are you still facing that performance hit? Or are you actually bypassing the slow suphp somehow?

    A complete "how-to" would be helpful
     
  5. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Re: [Case 52294] support mod_ruid2

    That still didn't answer it for me. I know that EasyApache has its own version, but certain features require a certain version of cPanel/WHM. My question was how to get the needed version of cPanel/WHM. Will EDGE give me that? Otherwise, when will it pass into CURRENT?

    Thanks,

    Mark
     
  6. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    This is incorrect. mod_ruid2 will work with all PHP Handlers *except* for FastCGI. This means you can use DSO, CGI, or suphp.

    However...
    This is correct. I really can't come up with a logical reason why you would want to use mod_ruid2 with suPHP. While you'd gain the benefit of the Apache children running as the user (thus requests for HTML, images, anything will run as the user -- not just PHP) you'd not gain the performance boost of mod_ruid2 out of it when it came to PHP. One of the core benefits to mod_ruid2 is the ability to run it under DSO while the requests are run as the user. This is as opposed to DSO without mod_ruid2 where everything runs as 'nobody'.

    Nonetheless, mod_ruid2 "works" with suphp and won't complain -- I just can't imagine why you'd want to do that. Maybe you want suPHP's "protection" of throwing 500 errors when PHP permissions are group/world writeable? Maybe you want the compatibility of still having suPHP_ConfigPath configurations work when moving off of suPHP?

    On my own personal box I run mod_ruid2 with DSO, as that's my personal opinion as to the most desirable handler to utilize with mod_ruid2. Just like most server configuration options, though, other server admins may have other preferences for legitimate reasons.

    Checking/unchecking mod_ruid2 does not adjust your PHP Handler, so whatever you had previously selected will just be defaulted still after the compile. The only exception being FastCGI of course since mod_ruid2 doesn't support it.

    Coincidentally enough, this is something under active consideration as of today via Case 56043. I concur that this would be very beneficial. Not so much a "HowTo", but a guide of the Pros, Cons, and special concerns of note that you should be aware of when deploying mod_ruid2. I wouldn't have an ETA on this for you, but I share your sentiments there and would anticipate this being available in our documentation in the future.

    You're correct. mod_ruid2 is hidden/disabled from EasyApache if you are not running 11.31.3+. Accordingly, you'll need to wait until your respective tier receives the 11.31.3.* or higher cPanel update before you can deploy mod_ruid2. This is because other changes were needed to the product outside of EasyApache to support mod_ruid2. I wouldn't have any sort of ETA for you on when 11.31.3+ is hitting a specific tier. But, it will be posted to Downloads - cPanel Inc. under the tier table as soon as it's available for a given tier.
     
  7. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Re: [Case 52294] support mod_ruid2

    Brian,

    Thanks for the response.

    Is that roughly as secure as running suPHP without mod_ruid2?
     
  8. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    There are a few security related differences to be aware of.

    [1] Verbatim copy/pasted from mod_ruid2's own README included by its creators (Source: mod_ruid2 | Free software downloads at SourceForge.net):
    Essentially, it is possible that an Apache exploit is found in the future that (if it exploits in the right location) allows the malicious attacker to attain root privileges because of how mod_ruid2 inherently works (uses setuid to set itself from root to run as the system user). On any other configuration, the same exploit would be limited to 'nobody' or cPanel user privileges at worst. Either way you look at it, though, an Apache exploit of that magnitude would be serious regardless whether or not you use mod_ruid2. Nonetheless, a security difference that's something to be aware of.

    [2] On the beneficial side, mod_ruid2 permits you to lock down user directories even further. World execute permission is no longer required, so /home/$user can change from 711 permissions to 710. Since 'nobody' is no longer used, public_html can drop the 'nobody' group privilege and be purely owned by the user. Essentially, there's no reason to enable any level of 'world' permission under mod_ruid2 which is a great security benefit.

    [3] On the cautionary side, suPHP has a built in feature to throw a 500 error if a system user took it upon themselves to set grossly insecure permissions (group/world write perms). With mod_ruid2, you lose this security safety net. Inexperienced users may start setting 777 perms and other insecure permissions on their account and unnecessarily open themselves up to security concerns.
     
  9. Shazan

    Shazan Member

    Joined:
    Aug 31, 2002
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Re: [Case 52294] support mod_ruid2

    Does it work correctly with worker MPM?

    Or it is advised to configure Apache as prefork?
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    DSO (mod_php) will only allow you to use MPM Prefork and mod_ruid2 only works with DSO, so you cannot have both mod_ruid2 and any MPM besides Prefork due to DSO. If you ever have any questions on how PHP handlers function, you might want to review this chart (I made this chart originally as my Miraenda user on this forum and then allowed cPanel Admin to use it):

    http://www.thecpaneladmin.com/wp-content/uploads/2010/08/phphandlers2.png
     
  11. britsenigma

    britsenigma Well-Known Member

    Joined:
    Dec 14, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Re: [Case 52294] support mod_ruid2

    Nice Chart.

    I never see much speed increase from using FCGI. And the caching seems broken.

    Also, Worker/Event don't work with caching, as the processes/threads fork at the wrong point in time or something to be cached.

    It's a mind field, i'm seriously considering putting up a site where you can download optimized easy apache yaml imports to make this easier.
     
  12. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Re: [Case 52294] support mod_ruid2

    I've heard conflicting stories about FCGI's security. Some people say it's not as secure as suPHP. Others say it's just as secure if you run it with suEXEC on. Which is true?

    I've also heard that FCGI requires extra configuration...and instructions for that seem to be very elusive. What are the extra steps needed?

    Thanks,

    Mark
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    Hi Mark,

    Please open up a new thread to pose questions about FCGI. This thread is about mod_ruid2 rather than FCGI.

    Thanks!
     
  14. aww

    aww Well-Known Member

    Joined:
    Feb 10, 2005
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    How does ruid2 handle existing environments where there maybe leftover directories from mod_php owned by "nobody" ?

    In some cases those directories may *not* be chmod 777, so I assume if a directory is owned by nobody, ruid2 cannot write to it until ownership is changed to the local user? So a server would have to be scanned for "nobody" ownership.
     
  15. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    You are correct. The complications you're going to run into when going from a non-mod_ruid2 DSO / CGI setup to a mod_ruid2 setup are very similar to the complications you'd run into when going from a non-mod_ruid2 DSO / CGI setup to a suPHP / FCGI setup.

    With mod_ruid2, 100% of the Apache requests are run as the cPanel user/group itself, therefore that user/group must have proper permission on the file you want to interact with. With mod_ruid2, you do *not* want any files to be 777 -- ever. It's unnecessary and serves only as an insecure configuration. In fact, any permission at all to World on a file/directory is unnecessary under mod_ruid2. You simply want the content you'll be accessing to be owned by that cPanel user and have appropriate permissions for what actions you're taking with that file.

    With that said, certainly be aware that you can't go from a non-mod_ruid2 DSO / CGI config to a mod_ruid2 config or vice versa without running into ownership/permissions issues. You should plan to make ownership/permission changes when switching the config either way.
     
  16. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    Re: [Case 52294] support mod_ruid2

    I tested mod_ruid2, works better that suPHP. Will be fine if we can upgrade only easyapache to latest version instead of entire cpanel.
     
  17. asturmas

    asturmas Well-Known Member
    PartnerNOC

    Joined:
    Jun 19, 2006
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Portugal
    cPanel Access Level:
    DataCenter Provider
    Re: [Case 52294] support mod_ruid2

    Hello,
    "Migration" from suPHP to mod_ruid2 is easy? Its only run easy_apache or need any other changes?

    Thanks,
     
  18. Jay M

    Jay M Active Member
    PartnerNOC

    Joined:
    Oct 10, 2011
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    mod_ruid2 goes back to using your .htaccess to manage php environment changes at a user level, so yes, if you're using user level custom php.ini's you'll need to make changes.
     
  19. Lehman

    Lehman Registered

    Joined:
    Feb 22, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    Let me first say you are doing a great job here on cPanel with the late improvements. :)

    Just to clarify, with mod_ruid2 on with dso handler, do I have to set suExec on in Configure PHP and SuExec?
     
  20. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: [Case 52294] support mod_ruid2

    You would still set suExec to on in WHM > Apache Configuration > PHP and SuExec Configuration area.
     
Loading...

Share This Page