Not working on CentOS 8

[AdnanHussainTurki]

Hello jfut,

Thanks for your support.

I have installed in my CentOS 8.1 machine https://github.com/mind04/mod-ruid2 Restarted Apache with no error.

But as soon as any request dropped to apache it is giving ERR_EMPTY_RESPONSE. and in the log, it is giving [Sun Jun 07 10:13:20.810130 2020] [core:notice] [pid 8939:tid 140082182953216] AH00052: child pid 10564 exit signal Aborted (6)

As you prescribed I have installed this jfut/mod_process_security-rpm using following commands wget https://github.com/jfut/mod_process_security-rpm/releases/download/v1.1.4-2/mod_process_security-1.1.4-2.el8.x86_64.rpm rpm -i mod_process_security-1.1.4-2.el8.x86_64.rpm

but still the same error.

Can you tell me what I am not doing correctly.

Thanks in advance.

[jfut]

I have installed in my CentOS 8.1 machine https://github.com/mind04/mod-ruid2

mod-ruid2 and mod_process_security are unrelated and separate modules. Please uninstall mod-ruid2 as it may have some conflicts.

As you prescribed I have installed this jfut/mod_process_security-rpm using following commands wget https://github.com/jfut/mod_process_security-rpm/releases/download/v1.1.4-2/mod_process_security-1.1.4-2.el8.x86_64.rpm rpm -i mod_process_security-1.1.4-2.el8.x86_64.rpm

This RPM doesn't work by simply installing it.

You need to edit /etc/httpd/conf.d/mod_process_security.conf. As it is written in the file, some Apache Modules must be disabled in order to work.

https://github.com/jfut/mod_process_security-rpm/blob/e13d3d46f56f712e052b555b5960f08ca1399495/rpmbuild/SOURCES/mod_process_security.conf#L8-L30

[AdnanHussainTurki]

I have changed conf as I needed (attached). I want my virtualhost apache head to run under a specific user "endurance".

The Apache is restarted gracefully. But still Apache is not running under endurance.

endurance_vhosts.txt

mod_process_security.txt

[jfut]

I have checked that PHP script run with user privileges in the following environments:

• CentOS Linux release 8.1.1911 (Core)
• httpd-2.4.37-16.module_el8.1.0+256+ae790463.x86_64
• php-7.2.11-2.module_el8.1.0+209+03b9a8ff.x86_64
• mod_process_security-1.1.4-2.el8.x86_64

Did you disable multi-thread modules?

Please check the loaded modules as shown below:

# Not working:
# httpd -M 2>&1 | egrep "prefork|event|dav|hcheck|^ http2|process_security|php"
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 mpm_event_module (shared)
 proxy_hcheck_module (shared)
 http2_module (shared)
 process_security_module (shared)

# It works:
# httpd -M 2>&1 | egrep "prefork|event|dav|hcheck|^ http2|process_security|php"
 mpm_prefork_module (shared)
 php7_module (shared)
 process_security_module (shared)

Is it PHP and cgi-script handlers that you want to run with user privileges?

SuexecUserGroup endurance endurance

This is not required by mod_process_security. You will need to change the ownership of the file instead:

chown endurance:endurance /home/endurance/public_html/path/to/some.php

<FilesMatch ".php$"> SetHandler "proxy:unix:/etc/endurance/configs/php/php72/endurance.sock|fcgi://localhost/"

mod_process_security supports the PHP DSO module. (PHP DSO module is much faster than PHP CGI mode.) So you can just use the default /etc/httpd/conf.d/php.conf file without editing.

It works with the PHP DSO module and the following mod_process_security settings:

# Uncomment this to enable, after setting MPM prefork and single thread mode
LoadModule process_security_module modules/mod_process_security.so

# Uncomment this to enable, after setting MPM prefork and single thread mode
# Enable All Extensions On. (default: Off)
PSExAll On

or

# Uncomment this to enable, after setting MPM prefork and single thread mode
LoadModule process_security_module modules/mod_process_security.so

# Enable Custom Handlers only.
#PSExAll Off
PSExtensions .cgi .php .pl .py .rb .sh

or

# Uncomment this to enable, after setting MPM prefork and single thread mode
LoadModule process_security_module modules/mod_process_security.so

# Enable Custom Handlers only.
#PSExAll Off
#PSExCGI On
PSHandlers application/x-httpd-php cgi-script

If the problem persists, could you create a Dockerfile for the reproduction?

[jfut]

Also, it's not an RPM issue, so it's better to discuss it in the mod_process_security issue.😄

[AdnanHussainTurki]

I am kinda noob in this field. Can you help me out for the best for my scenario.

I am using PHP-FPM for executing PHP scripts using this: <FilesMatch ".php$"> SetHandler "proxy:unix:/etc/endurance/configs/php/php72/endurance.sock|fcgi://localhost/" </FilesMatch> This gives me the ability to control PHP execution per user per virtualhost.

Now the problem in case, as the apache is running under apache:apache, it could not access the virtualhost directory at /home/endurance/public_html.

I am wondering, if apache can run under per user per virtualhost basis, this may solve this permission issue.

So, can you tell me if my problem can be solved using mod_process_security and php-fpm running simultaneously.

with that my current apache is as follows

[jfut]

PHP-FPM is a server process that is completely independent of Apache, and not an Apache module.

PHP-FPM will only work with the configured user privileges. In the example below, it would be apache:apache.

# e.g. /etc/php-fpm.d/www.conf
user = apache
group = apache

Since mod_process_security is an Apache module, it will never affect the behavior of PHP-FPM.

If you are using mod_process_security, you don't need to use PHP-FPM.

with that my current apache is as follows

You need the following settings to disable the multi-threaded modules. Because mod_process_security does not work in multi-threaded mode.

• Reset /etc/httpd/conf.modules.d/15-php.conf to the default

• Reset /etc/httpd/conf.d/php.conf to the default

• Edit /etc/httpd/conf.modules.d/00-mpm.conf

# Use prefork module
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so 
#LoadModule mpm_event_module modules/mod_mpm_event.so 

• Edit /etc/httpd/conf.modules.d/00-dav.conf

# Disable all WebDAV modules
#LoadModule dav_module modules/mod_dav.so 
#LoadModule dav_fs_module modules/mod_dav_fs.so 
#LoadModule dav_lock_module modules/mod_dav_lock.so 

• Edit /etc/httpd/conf.modules.d/00-proxy.conf

# Disable mod_proxy_hcheck module
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so 

• Edit /etc/httpd/conf.modules.d/10-h2.conf

# Disable http2 module
#LoadModule http2_module modules/mod_http2.so 

[jfut]

Hello @AdnanHussainTurki

mod_process_security v1.2.0 has been released! (also v1.2.0-1 RPM)

I used the following Dockerfile.centos8 (Perl + PHP( DSO)) to make sure that Perl and PHP(DSO) work correctly. You may find this example helpful. https://github.com/matsumotory/mod_process_security/pull/20#issuecomment-648790074