mod_ruid2 is secure ?

Francesco V.

Francesco V.

Active member
I'm trying to read as many information i can about it, although i'm not a sys-admin guy.

It seems that the not secure part is related to the DSO php handler that works in combo with mod_ruid2 and not to mod_ruid2 itself.

What are your opinion about this topic ? Is mod_ruid2 safe on a VPS where i have some personal sites and webspace for one of my friend ? I'm not a reseller or whatelse.
 
Francesco V. said:
I'm trying to read as many information i can about it, although i'm not a sys-admin guy.

It seems that the not secure part is related to the DSO php handler that works in combo with mod_ruid2 and not to mod_ruid2 itself.

What are your opinion about this topic ? Is mod_ruid2 safe on a VPS where i have some personal sites and webspace for one of my friend ? I'm not a reseller or whatelse.
Click to expand...

mod_ruid2 is an Apache extension that allows requests to a domain to run as the owner of that domain, instead of the Apache user. It is similar to suEXEC and suPHP, but applies to all HTTP requests (except those to Java servlets or JSPs).

So in that aspect its as safe as the users your assign it to the VPS and the security you use.... But it will limit what you can use. It's not compatible with most cache options... ie... memcache, file cache, ect..... So what you get is basically what you have out of it.
 
I read that one of the advantage of mod_ruid2 was just you can use caching keeping at the same time the advantage of suPhP to run webserver process as an account user and not as apache user. The main issue is that if someone exploits the apache process than can take advantage of mod_ruid2 main feature, you can switch from normale user back to root user.
 
I've been running rod_ruid2 for over 12 months now.
Adam Howard said:
So in that aspect its as safe as the users your assign it to the VPS and the security you use.... But it will limit what you can use. It's not compatible with most cache options... ie... memcache, file cache, ect..... So what you get is basically what you have out of it.
Click to expand...
It works with APC/Xcache/Memcache fine.
 
MattW said:
I've been running rod_ruid2 for over 12 months now.

It works with APC/Xcache/Memcache fine.
Click to expand...
The user is new and is using cPanel (if I recall). They claim it doesn't work (cPanel).

I personally, I have not used mod_ruide2 to my knowledge and so I did some research.

Incompatibilities
http://docs.cpanel.net/twiki/bin/view/EasyApache3/ModRuid2
  • Cache
  • Disk Cache
  • Memcache
  • MPM Worker
  • MPM Event
  • MPM Leader
  • MPM Perchild
  • MPM Threadpool
  • Mono
  • FastCGI
^ See highlighted points of interest.

It's all possible that someone needs to update their website.
 
Adam Howard said:
The user is new and is using cPanel (if I recall). They claim it doesn't work (cPanel).

I personally, I have not used mod_ruide2 to my knowledge and so I did some research.

Incompatibilities
http://docs.cpanel.net/twiki/bin/view/EasyApache3/ModRuid2
  • Cache
  • Disk Cache
  • Memcache
  • MPM Worker
  • MPM Event
  • MPM Leader
  • MPM Perchild
  • MPM Threadpool
  • Mono
  • FastCGI
^ See highlighted points of interest.
Click to expand...

I'm using cPanel as well, and have had it working with all 3.
 
MattW said:
I'm using cPanel as well, and have had it working with all 3.
Click to expand...
As I'm not currently using cPanel or have any history with using mod_ruide2 (that I can recall).... I'll defer to your experience on it, but would suggest the OP do more research and inquire with cPanel themselves.
 
That's a good course of action for the OP to take. Like I said, I've been running it for over 12 months now on both PHP 5.3 and PHP 5.4, and it's worked fine with both Xcache/APC and Memcache/Libmemcached.

For the OP, if they are your sites and a single site for your friend, you would probably be OK running straight DSO if you know what type of site they are going to be using your hosting for.

I only use it because I also host a couple of sites for friends (a couple use Wordpress), otherwise, I'd be running nginx myself.
 
Matt,

when you switched on druid 2 did you changed -R owner:group and permission of attachment and avatars folders ?
I just migrated an account on the VPS where i activated druid 2 and i see that those folder belong to nobody:nobody with a 777 :confused:

Did you chowned to user:user and chmodded to 771 or 775 ?
 
I didn't have to, as when I originally set the VPS up, it was running suPHP, so all folders were already 755.

I have mine with the folders and files owned by the account owner, with the folders to be 755 and files 644
 
You must log in or register to reply here.

Similar threads

J
Changed from PHP-FPM to DSO with mod_ruid2: Sendmail errors
Replies
0
Views
546
Joe Blow
J
frm
Other Is there a secure conversation addon?
Replies
1
Views
359
Kirby
K
Grizzly Adam
  • Question Question
XF 1.5 Your connection to this site is not secure
Replies
2
Views
1K
Paul B
P
N
SSL connection is not fully secure on my domain...
Replies
19
Views
3K
Neutral Singh
N
flowerpot132
How secure is your forum
Replies
6
Views
925
Mouth
Mouth
Back
Top Bottom