Changing of the Guard: NAS!


After 12 years of faithful service, through 3 power supplies and several disks, I have officially retired my “basement server”, mooch.  Mooch was  a Pentium-4 machine running CentOS 6 used to backup stuff on my real servers, as well stuff from my desktop, and to provide a common file sharing point for systems in the house.

Enter the NAS

That system has been replaced by a five year old Dell, which has been upgraded to 8 GB of memory and a pair of 4TB drives, running the NAS (Network Attached Storage) system FreeNAS.  The total cost of this transformation from an old Windows desktop to a shiny storage engine was $200 for two 4GB 4TB Seagate Drives, $35 for the additional memory, and $15 to replace a failing 100 mbps switch with a new gigabit model.  The FreeNas software is free.

Using FreeNAS, I’m still providing a central git repository, server backup, and in-house file sharing.  FreeNAS also supports Apple’s AFP protocol, so it’s acting as a network attached Time Machine for backing up the Macs.  In addition, FreeNAS supports some nice plugins including the Plex media server, so I’m now able to play all my videos and music through the Plex app on our Roku boxes.

Was it hard to set up?  Not really. The second time I did it, it took maybe an hour to get the OS loaded, disks mirrored, storage containers defined, and all the other little things configured.  I kicked off the tasks to transfer data to it before going to bed and by mid-afternoon the next day, about 500GB of stuff had been transferred.

That was fun… now on to the next project, either a gitlab server or replacing the toilet in the upstairs bathroom.

CentOS, mod_ruid2, and PHP sessions


qwandor-PadlockI ran into a small problem after installing mod_ruid2 on my CentOS 7 development server.

mod_ruid2 allows the web server process, httpd, to run as a different user when accessing different websites on the same server. Why is this important? By default, the web server runs as the user apache and all files are owned by the user apache.  If there’s a vulnerability in one component of a web site that gives an attacker access to the server’s file system, it has access to any and all files owned by apache.  And that’s all she wrote.

When using mod_ruid2, each host on the server is owned by a different user account, so any file system access is limited to just that site.  It’s a way to limit the damage

Anyhow, I ran into  problem. Some of my sites use session cookies. I was getting strange errors on those sites that I tracked to problems related to session cookies.  On CentOS 7, session cookies are stored as files in /var/lib/php/session.  That directory has permissions of 770 for the user/group root:apache.  The new users assigned to the httpd process by mod_ruid2 are not able to access this directory.  The solution was to create new group, webruid, and add each user that is used as a mod_ruid2 user to that group.

ll -d /var/lib/php/session
drwxrwx--- 2 root apache

ll -d /var/lib/php/session
drwxrwx--- 2 root webruid

After making those changes, I stopped the httpd process, deleted all saved session cookies and restarted httpd.