mod ruid for apache

Another post about the setup of hostshuis.nl’s servers. This time not about the virtualisation iam using at the server, but about something complete else. A (pretty simple) apache module, but a very nice one (at least, thats my opinion :)). Normally, with a default non modified apache setup, the webserver runs under the www-data or nobody user (Depending on how the initial setup is done ofcourse). When using the server for just 1 site, with just 1 user this is no problem at all. It will not cause much issues in that kind of setup. However, at the hosthuis server there is more as 1 site, with more as 1 user. So using www-data or nobody as user for all users can cause some issues. Not only that its possible in certian cases that users can view others users files, but written files with php are owned by this user. This means the FTP user (What runs under the users own name) cant read the file, nor it cant backup the files. Not something you really want.

A lot of hosts think they found a great solution for this, called su_php. However, su_php has some very large disadvantages. Firstly, it requires to run php in CGI mode. This means you can’t use .htaccess files anymore to change php configuration. In a lot cases not something thats a problem, however, hosthuis provides quality hosting, without any weird limits. We require for ourselfs that our customers can change such things themself, as service. However, another large problem with su_php is the performance. su_php performs very bad, and uses a lot of CPU.
Maybe some hosts have enough CPU power (And we actually have as well), but this doesn’t mean we just need to use this CPU power. So the su_php option was not really an option for us, after looking at it.

Another option instead of su_php is mod_ruid for apache2. mod_ruid has none of the above disadvantages, it doesnt require to run php as CGI, you can still modify php values with .htaccess, and it performs pretty good. So, sounds good? There are still some problems. The standard version does have a few bugs, that cause the first request to be served as root instead of the own local user. Not really a good idea, isnt it? However, thats a pretty easy fix. But there are still some issues. In some cases its possible that users still can get root access, likee with the posix php extension. So, unless you have disabled these (And some more things, but iam not going to talk now about that), you should not use it, and make sure you know what you are doing. But once you have it working, its a very nice thing.

Leave a Reply

Your email address will not be published. Required fields are marked *