mod_ruid2

I went ahead and did some tests with mod_ruid2. My experiments show that mod_ruid2 is not only very promising, but that among all the choices, it might be the best. With mod_ruid2 in place, you don't need any of the suexec-type programs. Everything just runs as the uid and gid of the virtual server owner, even PHP scripts executed by mod_php. So you get the efficiency of mod_php and zero overhead from suexec. And you can chmod each user's home directory to u=rwx,og= without blocking his websites from Apache.

In my CentOS 7 environment I installed mod_ruid2 from the EPEL repository, and then in Virtualmin GPL went to

System Settings : Server Templates : Default Settings : Apache website : Directives and settings for new websites

and added this to the end of the text block:

RMode       config
RUidGid     ${USER} ${USER}
RGroups     apache

This assumes that each user has a group that is identical to his username. This is the default in CentOS 7, and can be made the default on any other Linux-based OS.

Also, 1. near the end of httpd.conf, and 2. just before the end of the default virtualhost in ssl.conf, I added these lines to set global defaults:

RMinUidGid   "#N" "#N"
RUidGid      "#M" "#M"
RGroups       apache

Here N and M stand for actual numbers that I picked. N is the lowest uid and gid that mod_ruid2 will ever allow. Usually it should be at least 1000. M is any unprivileged user/group not belonging to any other existing account.

I'm not sure that the "RGroups apache" directive is really needed. Securitywise, we might actually be better off not adding every user into the "apache" group. But I still have to test this.

Now, when I access this little file outside of any user's virtualhost:

the values of euid and ruid show up as M, which means the script is running as uid and gid M. And within a user's virtualhost the uid and gid are that of the user.

I get analogous results when I run a little cgi-bin script:

#! /bin/sh
echo 'Content-Type: text/plain'
echo ''
id

One problem I faced was that Virtulmin always inserts suexec directives in each virtualhost. This causes an interaction between suexec and mod_ruid2 in which neither wins -- Apache simply won't serve that cgi-bin script, but instead, complains about "End of script output before headers".

Doing a search in Webmin's search box for "suexec" revealed help text that says that suexec can be controlled:

Automatically add appropriate SuExec directive? If selected, SuExec will be enabled for the virtual server. SuExec is a feature of Apache that allows CGI scripts to be executed with only the privileges of the owner of the directory where the script is located. It also introduces other protections to help prevent insecure script usage, such as refusing to run scripts that have lax permissions (for example, those that are group or world writeable). SuExec is highly recommended except for in environments where all domain owners are trusted users. SuExec does present some limitations, such as the inability to run scripts "in-process" using modules like mod_perl or mod_python. With modern hardware, performance is rarely a major concern in a shared hosting environment, and shouldn't take precedence over security.

But after quite a bit of searching I concluded there is no such menu item.

Most of the time, we users complain about menu items that have no help text. Complaining about help text for which i cannot find the menu item might be an industry first.

I manually commented out the suexec directives added by Virtualmin. I need to find a good way of automating this.

I also came across another Apache module that does something similar to mod_ruid2. It's called mpm-itk and it too is in the EPEL repository, as httpd-itk. I have not tested it. If I run into problems with mod_ruid2, I may try mpm-itk.

How odd! Somehow I missed it despite my exhaustive search. The suexec option is right there, on this page

System Settings : Server Templates : Default Settings : Apache website