store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Dec 20, 2014 10:34 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 83 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next
Author Message
 Post subject: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Fri Nov 26, 2010 7:10 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
This is the initial import of mod_ruid2 to the atomic repo. Similar to the capabilities of ITK, but in DSO form. Potentially a lethal combo if we combine this with mod_hostinglimits, mod_security, and grsecurity. :P

Description:

With this module, all httpd process run under user's access right, not nobody or apache.
mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it
doesn`t need to kill httpd children after one request. It makes use of kernel capabilites
and after receiving a new request suids again. If you want to run apache modules, i.e.
WebDAV, PHP, and so on under user's right, this module is useful.



To Install:

yum iinstall mod_ruid2


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sat Nov 27, 2010 5:08 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks Scott. Sounds interesting. Compared to mod_fcgid it's supposed to be faster and less memory consuming.
And finally I could get rid of the Plesk dependant old fcgid versions.
Are there other benefits except DSO which is great?
What about PHP Opt Caches? How does it work with them?

I have found a useful addition for Plesk environments.
http://forum.parallels.com/showthread.php?t=106297

I bet ASL is not vulnerable to the security issue which is mentioned in the readme.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sat Nov 27, 2010 11:18 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
Great questions, the opcache one especially. Right now, I don't know since I havent tested that yet.

My thoughts are to modify the code to use the same SuexecUserGroup setting from httpd.include to make this completely automatic. This would enable it globally across all domains without requiring any config changes. Of course this would also mean that you couldn't disable it per domain. I'd love to hear everyones feedback on that idea.

If indeed the opcache does require special settings per vhost then the above idea probably wouldn't be as important.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sat Nov 27, 2010 1:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 780
Location: Sweden
I'd love if it would be automatic for all domains.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sat Nov 27, 2010 2:02 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
I'm not sure. What if some vhost needs to be run as cgi for some reason? I don't know if this case can happen at all? If not, great.
If so, then this would not be the best solution. More flexibility is always good.
Besides that there are the opcache questions.

On the other hand it's nice, easy and secure.
What about vhost custom php settings? Are all settings possible or are there also limitations like in fcgid?

I would really like to replace mod_fcgid, if mod_ruid2 handles opcaches in a good manner and I can set all php settings vhost based.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Nov 28, 2010 12:48 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
Doesnt look like changes are necessary, if you use just this setting in your config:
RMode stat

All code will be invoked as the directory/script owner. Directory ownership appears to take preference over script ownership. Note you can also force the setting with:
RMode config

followed by the UID and GID you want the script to run on. This can further be refined to specify the UID on a per directory or even per script basis.

On eaccelerator, yes it will work. I just had to make /var/cache/php-eaccelerator 0755. The files it creates are only readable/writable by the domain user:
887357 8 -rw------- 1 testguy psacln 4324 May 15 14:19 /var/cache/php-eaccelerator/0/0/eaccelerator-001cd07b4307e30ca437d6111c8a014b


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Nov 28, 2010 1:08 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks. But how do you tell the plesk vhosts to use mod_ruid2 and override e.g. the Plesk setting FastCGI/CGI or Apache?
via vhost.conf? And how do I set all php settings in that case? With Fcgid I cant set "php_value memory_limit 64M" in vhost.conf. It just gets ignored like some other settings too.
That's why I used a wrapper file and vhost based php.ini files.
Would there be such limitation as well?

"RMode stat" is the default configuration so you don't need to catch SuexecUserGroup?

Great that it runs with eaccelerator.
And thanks for the this new tool that is seems to be the best replacement for mod_fcgid.
ASL is not vulnerable to the security issue which is mentioned in the readme, right?


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Nov 28, 2010 1:18 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
You dont need to tell plesk anything in order to use it, all you need to do is install it and play around with the RMode settings. If you set RMode config in ruid2.conf then its going to be global. I set it in a specific vhost.conf on my tests, the next test will be with its chroot capabilities.

For per-vhost settings of php the same vhost.conf rules apply that always have. php_admin_value, open_basedir, etc.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Dec 19, 2010 5:00 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
HI Scott,

it seems I'm too stupid to get mod_ruid2 running. I have installed mod_ruid2.
It installed fine and apache logs show that it's enabled.

1. /etc/httpd/conf.d/ruid2.conf is emtpy like you said

2. DomainX.tld is set to "run as apache module" under Plesk (even if it's not necessary)

3. Created vhost.conf for DomainX.tld and ran
/usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=DomainX.tld
It gets included fine in httpd.conf

4.Now I have set this into the vhost.conf
Code:
<Directory /var/www/vhosts/DomainX.tld/httpdocs>
   RMode config
   RUidGid domainuser psacln
   RGroups apache psaserv
</Directory>


But I don't see any httpd processes running with that user, or shouldnt there be any?
I get permission errors like this one: ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20101219/20101219-0944 (Permission denied) [hostname "www.DomainX.tld"] [uri "/error_docs/forbidden.html"] [unique_id "ap7u2tTj-O4AACwni50AAAAE"]. The files are not created.
And of course the site does not load (Joomla-1.5).

What do I have to do?
Thanks a lot


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Dec 19, 2010 12:11 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
It wont run as the user in an identifiable process, but it will invoke as that user. The latter message proves it, since that UID cant write to the audit directory.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Dec 19, 2010 1:22 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks. Yes it proves that it's running in some sort of a way.
Still I can't get it going. I spent the hole day to understand it, but nothing works correctly.
mod_ruid2 looks so promising...it seems simple...but I can verfiy the correct running and its not doing the job it should.

I would really appreciate if you could post the exact config you set in ruid2.conf and vhost.conf for a domain that is running Joomla under Plesk 9.5.
In my vhosts httpdocs all directories are set to domainuser:psacln 0755, all files are set to domainuser:pscaln 0644.
BUT...nothing is writeable for Joomla. Only if I set everything to 0777.

Do you got it running with Joomla with writeable files and dirs under Plesk? If so, I would really appreciate the correct settings.

Thanks a lot.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Sun Dec 19, 2010 2:25 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
No I never tried joomla. Just a simple php app that touched a file to check the ownership.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Mon Dec 20, 2010 5:06 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
HI Scott,

I got one step further. I don't know exactly why this happens but I bet you do. Here is the story ;)

I installed mod_ruid2 via yum from atomic repo. mod_ruid2 did not work as expected. Files and diretories where not writable by Joomla e.g.

I installed mod_ruid2 source from atomic and wanted to compile again on my testserver.
And there the fun began :)
I had to "patch" the file /usr/include/sys/capability.h
with this patch http://kyle.fedorapeople.org/libcap-sanitized-for-userspace.diff
found at: https://bugzilla.redhat.com/show_bug.cgi?id=483548
After that I could compile from atomic source, but mod_ruid2 still did not work correctly with the same error.

So I did a manual installation by getting the source from sourceforge. This also only worked with the patched capability.h file.
Untar it and than ran:
Code:
apxs -a -i -l cap -c mod_ruid2.c

After that I added this in httpd.conf
Code:
<IfModule mod_ruid2.c>
  RMode config
  RUidGid apache apache
  RGroups apache psaserv
  RMinUidGid apache apache
</IfModule>


and added this in vhost.conf
Code:
<IfModule mod_ruid2.c>
    RMode config
    RUidGid domain-ftp-user psacln
    RGroups psacln
</IfModule>   


And now it's working. Only the manual installation leads to a phpinfo with loaded module mod_ruid2.
So the difference the module is loaded maybe?
And I'm not sure what the patch is causing/braking besides it's working now (that's going to deep for me :) explanation welcome - like to learn).
On my test I use ASL latest kernel, kernel-firmware and kernel-headers.
Maybe you can spread some light why it's only working that way. Best would be to get the changes into a new rpm.
Thanks a lot.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Mon Dec 20, 2010 10:28 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
This might just be a 64-bit issue in that case. I'm loath to maintain an update to libcap for this (although it doesnt look like it changes often), but if thats what it takes thats what it takes.


Top
 Profile  
 
 Post subject: Re: [atomic] mod_ruid2 0.9.1-1
Unread postPosted: Mon Dec 20, 2010 10:53 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Can the capability.h be changed back after compiling or does it have to stay "patched" for correct working?
Of course for correct working of others things as well?

Thanks


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 83 posts ]  Go to page 1, 2, 3, 4, 5, 6  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group