I ran into a small problem after installing mod_ruid2 on my CentOS 7 development server.
mod_ruid2 allows the web server process, httpd, to run as a different user when accessing different websites on the same server. Why is this important? By default, the web server runs as the user apache and all files are owned by the user apache. If there’s a vulnerability in one component of a web site that gives an attacker access to the server’s file system, it has access to any and all files owned by apache. And that’s all she wrote.
When using mod_ruid2, each host on the server is owned by a different user account, so any file system access is limited to just that site. It’s a way to limit the damage
Anyhow, I ran into problem. Some of my sites use session cookies. I was getting strange errors on those sites that I tracked to problems related to session cookies. On CentOS 7, session cookies are stored as files in /var/lib/php/session. That directory has permissions of 770 for the user/group root:apache. The new users assigned to the httpd process by mod_ruid2 are not able to access this directory. The solution was to create new group, webruid, and add each user that is used as a mod_ruid2 user to that group.
Before: ll -d /var/lib/php/session drwxrwx--- 2 root apache After: ll -d /var/lib/php/session drwxrwx--- 2 root webruid
After making those changes, I stopped the httpd process, deleted all saved session cookies and restarted httpd.
Hi Steve,
I try to configure virtual hosts with mod_ruid2.
Can you share a configuration sample?
Tnx
sure. See
https://gist.github.com/sterndata/e04931a1fc1853dd5a90https://gist.github.com/sterndata/30855444d97a5e4f16e3
thank you very much!
Instead of messing around with multiple user groups, I used /tmp which is usually the target for that stuff.
cd /var/lib/php
rm -rf sessions
ln -s /tmp /sessions ; symlink sessions to /tmp
Now all tmp sess make it to /tmp without needing to fudge in every user.
Typos…. -s from sessions.. Remove / from /sessions in symlink. Oops.