Page tree
Skip to end of metadata
Go to start of metadata

Overview

The mod_ruid2 Apache module changes the permissions of the HTTP requests for a domain to the permissions of the owner of that domain.

Warning:

If you do not select an Apache module that changes the permissions of Apache requests, your Apache web server will run Apache processes as the nobody user, which presents security risks. The following Apache modules also change the permissions of Apache requests:

Usage

Use the mod_ruid2 Apache module to change the permissions of Apache requests to the domain's owner.

Requirements

This module has no requirements.

Compatibility

The mod_ruid2 Apache module introduces a complex security model. If you select the mod_ruid2 Apache module, EasyApache will verify the compatibility of the other Apache and PHP modules that you select with the mod_ruid2 Apache module.

Warning:

Currently, we no longer develop EasyApache 3 and only release security updates. We have tentatively scheduled EasyApache 3 for deprecation at some point in 2018. You will receive at least three months notification prior to official deprecation. After that time, EasyApache 3 will no longer receive any updates. For more information, read our cPanel Long-Term Support documentation.

We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation. 

Featured documentation

  EasyApache 3

IntroductionFAQ

Change Log Release Notes  

ProfilesCustomization

Tomcat

Migrate from Tomcat 5.5 to 7

How to Deploy Java Applications

Important:

EasyApache 3 does not support Tomcat for new installations. EasyApache 4 does not support Tomcat and we do not plan to provide support in the future. 

LiteSpeed Web Server

The mod_ruid2 Apache module is not compatible with the LiteSpeed Web Server.

For more information, read LiteSpeed's documentation.

PHP extensions posix, dio and eio

If you select the Mod Ruid2 option in EasyApache, you cannot install the posixdio, or eio PHP extensions with WHM's  Module Installers interface (Home >> Software >> Module Installers). EasyApache disables those extensions if they exist on your server when you build EasyApache with the Mod Ruid2 option.

Other incompatible Apache modules

The following modules are not compatible with the Mod Ruid2 option:

Option
Module identifier
Description
Cache mod_cache

This module caches content that is keyed to URIs. This module can cache both local and proxy content. The mod_ruid2 Apache module causes problems with the ownership of the cache lock files that the mod_cache Apache module creates.

Warning:

While you can patch the mod_ruid2 Apache module, or the mod_cache Apache module and any other cache-related modules, the patch may introduce security vulnerabilities.

Disk Cache disk_cache_module

These modules require the mod_cache Apache module, which is not compatible with the mod_ruid2 Apache module.

Cache Disk cache_disk_module
MemCache mod_mem_cache
Mod FastCGI v2.3.9 mod_fcgi

If you select the FastCGI option, EasyApache installs the mod_fcgid Apache module. The mod_fcgid Apache module directs your Apache server to handle each CGI request with a separate and persistent process. The mod_ruid2 Apache module cannot change the UID or GID of the processes that the mod_fcgid Apache module creates.

If you select the FastCGI and Mod Ruid2 options, EasyApache will set your PHP handler to the suPHP option. For more information about how to select a PHP handler, read our Configure PHP and suEXEC documentation.

Mono mod_monoThis Apache module provides ASP.NET support for Apache 2.0 and 2.2. This support applies to .NET 1.x and 2.x. If you select the Mono and Mod Ruid2 options, EasyApache will not build the mod_mono Apache module.
Perl mod_perlThis Apache module provides Perl scripting language support for the Apache web server. If you select both the Perl and Mod Ruid2 options, EasyApache will not build the mod_perl Apache module.
Tomcat mod_jk

This Apache module provides the Tomcat web server and allows Apache to communicate with Tomcat. You cannot select both the Mod Ruid2 and the Tomcat options.

Important:

EasyApache 3 does not support Tomcat for new installations. EasyApache 4 does not support Tomcat and we do not plan to provide support in the future. 

UserDir mod_userdirThis Apache module allows visitors to access a site on your server with the http://example.com/~account syntax. This method to access websites causes a conflict with the mod_ruid2 Apache module.

MPM selection

EasyApache builds with the MPM Prefork by default. If you wish to use the mod_ruid2 Apache module, you must use the MPM Prefork. For more information on MPMs, read our MPM Options documentation.

Warning:

The following MPMs are not compatible with the mod_ruid2 Apache module:

EasyApache optionModule identifierNotes
MPM Workermpm_worker_moduleThe mpm_event_module Apache MPM and the mpm_event_module Apache MPM are threaded MPMs. MPMs that use threads do not work with the mod_ruid2 Apache module, because they alter the UID and GID at the process level.
MPM Eventmpm_event_module
MPM ITKmpm-itkIf you select both the Mod Ruid2 option and the MPM ITK option in EasyApache, EasyApache will deselect the Mod Ruid2 option.

Mutual exclusion issues

Some users encounter errors when they use the mod_ruid2 Apache module with other modules or scripts that use mutual exclusion. If a mutual exclusion event occurs, Apache will output errors similar to the following example:

[Wed Sep 12 20:21:50 2012] [emerg] (13)Permission denied: couldn't grab the accept mutex
[Wed Sep 12 20:21:51 2012] [alert] Child 27585 returned a Fatal error... Apache is exiting!
[Wed Sep 12 20:21:51 2012] [emerg] (43)Identifier removed: couldn't grab the accept mutex
[Wed Sep 12 20:21:51 2012] [emerg] (22)Invalid argument: couldn't release the accept mutex
[Wed Sep 12 20:22:25 2012] [emerg] (22)Invalid argument: couldn't grab the accept mutex

If you add the following line to the /usr/local/apache/conf/mod_ruid2.conf file, it may resolve the issue:

AcceptMutex posixsem

How to install or uninstall mod_ruid2

Module status in default profiles

The Mod Ruid2 EasyApache profile includes the mod_ruid2 Apache module by default.

Note:

You can only use the Mod Ruid2 profile if you do not use CloudLinux.

Installation steps

If you do not select the Mod Ruid2 profile, perform the following steps to install or uninstall the mod_ruid2 Apache module:

  1. Run EasyApache in WHM's EasyApache 3 interface (Home >> Software >> EasyApache 3).

    Note:

    To access EasyApache from the command line interface, run the /scripts/easyapache script as the root user.

  2. Select the profile that you wish to modify.

  3. Click the  icon that corresponds to your selection.

  4. Click Next Step in the Apache Version stage.
  5. Click Next Step in the PHP Version stage.
  6. Click Exhaustive Options List in the Short Options List stage.
  7. Perform one of the following actions in the Short Options List stage:
    • To install the mod_ruid2 Apache module, select the Mod Ruid2 option.

      Warning:

      • Before you select the Mod Ruid2 option, read this document's Compatibility section.
      • If you select the Mod Ruid2 option, we recommend that you use DSO as your PHP handler instead of suPHP. For more information on how to select a PHP handler, read our Apache PHP Request Handling documentation.
    • To uninstall the mod_ruid2 Apache module, deselect the Mod Ruid2 option.
  8. Click Save and Build.

How to enable or disable the module in a custom EasyApache profile file

The following table provides information about how EasyApache refers to the mod_ruid2 Apache module:

EasyApache module namemod_ruid2
EasyApache Profile EntryCpanel::Easy::ModRuid2

To enable or disable the mod_ruid2 Apache module in a custom EasyApache profile file, set the Cpanel::Easy::ModRuid2 profile entry to one of the following values:

  • 1 – This value enables the module.
  • 0 – This value disables the module.

History

DateEasyApache versionActionDetails
7/16/20143.26.0EA updateImplemented case 76837: Add mpm-itk to EasyApache
3/10/20143.24.12EA updateFixed case 76493: Resolve compatibility with Mod Security
2/11/20143.24.11Doc updateImplemented case 73225: Removed Apache 1.3 and 2.0
10/21/20133.22.17EA updateImplemented case 58357: Update the mod_ruid2 Apache module to version 0.9.8
1/31/20133.18.0Doc updateImplemented case 51105: Update for Apache 2.4

Version 0.9.8

By default, if you build EasyApache with the mod_ruid2 Apache module, the child Apache processes will not inherit the supplemental groups of the parent Apache process.

Version 0.9.8 of the mod_ruid2 Apache module allows you to enable supplemental group inheritance. If you wish to enable this feature, you must create a custom virtual host template with RGroupInherit set to on.

Warning:

We do not recommend that you enable supplemental group inheritance as it poses security risks.

Related documentation

For more information about EasyApache, read our EasyApache documentation.

Vendor documentation

For more information about the mod_ruid2 Apache module, visit the mod_ruid2 website.