CentOS, mod_ruid2, and PHP sessions

5 Comments

qwandor-PadlockI ran into a small problem after installing mod_ruid2 on my CentOS 7 development server.

mod_ruid2 allows the web server process, httpd, to run as a different user when accessing different websites on the same server. Why is this important? By default, the web server runs as the user apache and all files are owned by the user apache.  If there’s a vulnerability in one component of a web site that gives an attacker access to the server’s file system, it has access to any and all files owned by apache.  And that’s all she wrote.

When using mod_ruid2, each host on the server is owned by a different user account, so any file system access is limited to just that site.  It’s a way to limit the damage

Anyhow, I ran into  problem. Some of my sites use session cookies. I was getting strange errors on those sites that I tracked to problems related to session cookies.  On CentOS 7, session cookies are stored as files in /var/lib/php/session.  That directory has permissions of 770 for the user/group root:apache.  The new users assigned to the httpd process by mod_ruid2 are not able to access this directory.  The solution was to create new group, webruid, and add each user that is used as a mod_ruid2 user to that group.

Before:
ll -d /var/lib/php/session
drwxrwx--- 2 root apache

After:
ll -d /var/lib/php/session
drwxrwx--- 2 root webruid

After making those changes, I stopped the httpd process, deleted all saved session cookies and restarted httpd.

5 Replies to “CentOS, mod_ruid2, and PHP sessions”

  1. Instead of messing around with multiple user groups, I used /tmp which is usually the target for that stuff.

    cd /var/lib/php
    rm -rf sessions
    ln -s /tmp /sessions ; symlink sessions to /tmp

    Now all tmp sess make it to /tmp without needing to fudge in every user.

Comments are closed.