Apache Module: Ruid2

Overview

mod_ruid2 is an Apache module that allows all HTTP requests to a domain to run as the owner of that domain instead of as the Apache user. mod_ruid2 does not apply to HTTP requests to Java servlets or JSPs. This module is an alternative to suEXEC.

cPanel documentation

Profile

Name mod_ruid2 (Base Module)
Profile Ruid2
Reverse Boolean? No

Updating to mod_ruid2 0.9.8

By default, all versions of mod_ruid2 do not allow the Apache process to inherit the supplemental groups of the parent Apache process. mod_ruid2 version 0.9.8 allows you to enable supplemental group inheritance. If you wish to enable this feature, you must create a custom virtual host template with RGroupInherit set to on.

ALERT! Warning: We do not recommend that you enable supplemental group inheritance as it poses security risks.

Compatibility

mod_ruid2 introduces a complex security model. For this reason, we disallow certain Apache and PHP modules that we believe may introduce vulnerabilities when used with mod_ruid2. If you enable mod_ruid2, EasyApache will automatically disable the following configuration options:

Option Module Identifier Description
Cache cache_module This module caches content that is keyed to URIs. Local and proxy content can be cached. mod_ruid2 causes problems with the ownership of cache lock files. It may be possible to patch the cache modules or mod_ruid2 to solve the issue, but the patch may introduce security vulnerabilities.
Disk Cache disk_cache_module This module caches content that is keyed to URIs. This module uses disk-based storage management and is usually used with cache_module. mod_ruid2 causes problems with the ownership of cache lock files. It may be possible to patch the cache modules or mod_ruid2 to solve the issue, but the patch may introduce security vulnerabilities.
FastCGI mod_fcgi This module is a language-agnostic extension of CGI that allows Apache to serve PHP faster. When you use FastCGI, requests are processed by a separate and persistent process. mod_ruid2 cannot force the processes to change UID or GID based on the domain. If you use FastCGI and enable mod_ruid2, EasyApache will change your PHP handler to suPHP.
MemCache mod_mem_cache This module caches content that is keyed to URIs. This module requires the cache_module and provides a memory-based storage management system. mod_ruid2 causes problems with the ownership of cache lock files. It may be possible to patch the cache modules or mod_ruid2 to solve the issue; however, the patch may introduce security vulnerabilities.
Mod_Security mod_security Mod_ruid2 is not compatible with mod_security.
MPM Worker mpm_worker_module This is a multi-processing module that allows Apache to serve additional requests by off-loading processing work to supporting threads. Thread-based MPMs will not work with mod_ruid2, because they alter the UID and GID at the process level.
MPM Event mpm_event_module This module is a variant of the worker MPM that allows Apache to serve additional requests by off-loading processing work to supporting threads. Thread-based MPMs will not work with mod_ruid2, because they alter the UID and GID at the process level.
Mono mod_mono This module provides ASP.NET support for Apache 2.0 and 2.2. This applies to .NET 1.x and 2.x. Enabling mod_ruid2 prevents mod_mono from building. We may look into this further if there is sufficient demand.
Tomcat mod_jk The Apache Tomcat Connectors (mod_jk) allow Apache to communicate with Tomcat. There are compatibility issues between mod_jk and mod_ruid2 which cause Tomcat to fail.
UserDir mod_userdir The mod_userdir module allows visitors to access a site on your server using the http://example.com/~account syntax. This method of accessing websites causes a conflict with mod_ruid2
POSIX PHP extension   The POSIX PHP extension will be disabled for security reasons.

Notes

  • mod_ruid2 uses a feature of POSIX.1e that is available on all Linux systems supported by cPanel.
  • In most instances, when mod_ruid2 is installed you will want to replace suPHP as your PHP handler. Many administrators prefer to use DSO as the PHP handler whenever mod_ruid2 is enabled.
  • If you enable mod_ruid2, you will be unable install the dio and eio PHP extensions for security reasons.
    • cPanel & WHM version 11.36 and later — If you already have the dio and eio PHP extensions installed and then you install mod_ruid2, dio and eio will be uninstalled.
    • cPanel & WHM version 11.34 and earlier — If you already have the dio and eio PHP extensions installed and then you install mod_ruid2, dio and eio will be commented out from php.ini.

  • Some users have encountered problems with mod_ruid2 while using mutual exclusion. Lines similar to the following will appear in the Apache error logfile (/usr/local/apache/logs/error_log):
    [Wed Sep 12 20:21:50 2012] [emerg] (13)Permission denied: couldn't grab the accept mutex
    [Wed Sep 12 20:21:51 2012] [alert] Child 27585 returned a Fatal error... Apache is exiting!
    [Wed Sep 12 20:21:51 2012] [emerg] (43)Identifier removed: couldn't grab the accept mutex
    [Wed Sep 12 20:21:51 2012] [emerg] (22)Invalid argument: couldn't release the accept mutex
    [Wed Sep 12 20:22:25 2012] [emerg] (22)Invalid argument: couldn't grab the accept mutex
    To resolve this issue, add the following line to /usr/local/apache/conf/mod_ruid2.conf:
    AcceptMutex posixsem

Vendor documentation

Apache Version Documentation
2.4 Docs
2.2 Docs

History

Date EA Version Action Details

Topic revision: r9 - 11 Feb 2014 - 13:57:35 - Main.ShavaunTesareski