mod_ruid2 allows the web server process, httpd, to run as a different user when accessing different websites on the same server. Why is this important? By default, the web server runs as the user apache and all files are owned by the user apache. If there’s a vulnerability in one component of a web site that gives an attacker access to the server’s file system, it has access to any and all files owned by apache. And that’s all she wrote.
When using mod_ruid2, each host on the server is owned by a different user account, so any file system access is limited to just that site. It’s a way to limit the damage
Anyhow, I ran into problem. Some of my sites use session cookies. I was getting strange errors on those sites that I tracked to problems related to session cookies. On CentOS 7, session cookies are stored as files in /var/lib/php/session. That directory has permissions of 770 for the user/group root:apache. The new users assigned to the httpd process by mod_ruid2 are not able to access this directory. The solution was to create new group, webruid, and add each user that is used as a mod_ruid2 user to that group.
Before: ll -d /var/lib/php/session drwxrwx--- 2 root apache After: ll -d /var/lib/php/session drwxrwx--- 2 root webruid
After making those changes, I stopped the httpd process, deleted all saved session cookies and restarted httpd.