Skip to main content

Apache vhosts are not segmented or chroot()ed

Nirjonadda
How to fix error: Apache vhosts are not segmented or chroot()ed? we have enabled Jailed Shell but error still are not removed. 50235

Comments

41 comments

Date Votes
  • abnet
    Hello, I'm wondering if applying these three things to the server is a sufficient alternative to the jail/chrooted thing.
    • Disable user_ini
    • Using disabled_functions feature for php-fpm
    • Doing this:
    Looking forward to your reply. Thank you.
    0
  • cPanelMichael
    Hello @abnet, While the options you noted may increase your server's security, the only way to suppress the warning message in WHM >> Security Advisor is by performing one of the following actions: 1. Enable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell in WHM >> Tweak Settings, and enable Mod_Ruid2 in WHM >> EasyApache 4. 2. Install CloudLinux and enable CageFS. Thank you.
    0
  • Tomas Gonzalez
    Hello @abnet, While the options you noted may increase your server's security, the only way to suppress the warning message in WHM >> Security Advisor is by performing one of the following actions: 1. Enable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell in WHM >> Tweak Settings, and enable Mod_Ruid2 in WHM >> EasyApache 4. 2. Install CloudLinux and enable CageFS. Thank you.

    Or create a filter in your inbox to hide the warning. It'll still be there, but you won't see it :-D (just kidding) (or maybe not) Any update on this now that some time has passed?
    0
  • cPRex Jurassic Moderator
    What updates are you looking for, specifically? We still create the warning to provide server admins with some options to secure their machine.
    0
  • sparek-3
    I think the mod_ruid2 project is dead.
    0
  • rambillo
    • Edited

    Question: What if we no longer want to run mod_mpm_prefork, but instead run mod_mpm_event (with mod_suexec) for things like http/2? Are we secure (using jailshell)? Is there a way to satisfy the security advisor?

    Otherwise it seems the only viable fpm is mod_mpm_prefork -- correct?

    Note too we're not on CloudLinux.

    0
  • cPRex Jurassic Moderator

    rambillo - mod_ruid2 can still be installed through the EasyApache 4 tool, so you could do that.  The others behave slightly differently, so the advice in WHM >> Security Advisor is still correct.

    0
  • rambillo
    • Edited

    cPRex - thanks for the reply.

    I get that mod_ruid2 can still be installed (and is installed when we're using mod_mpm_prefork).

    But mod_mpm_prefork doesn't support http/2 and isn't as performant as mod_mpm_event. As such, we want to use mod_mpm_event (with mod_suexec for secure isolation). My understanding from EasyApache and the interwebs is that we can't use mod_ruid2 with mod_mpm_event.

    Am I mistaken in any of this?

    And is mod_mpm_event with mod_suexec (and jailed shell, but not CageFS because we're not on CloudLinux) just as secure as the mod_mpm_prefork, mod_ruid2, and jailed shell configuration?

    The last bottom line question is this: if mod_ruid2 is required in every case and per this thread, is cPanel's position then that mod_mpm_prefork is essentially the only viable fpm for use on a cPanel managed server?

    Thanks again for your help and advice.

    0
  • cPRex Jurassic Moderator

    All MPMs offer support for http/2 at this time - here's some data from https://httpd.apache.org/docs/trunk/howto/http2.html#mpm-config

    "HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions."

    so it's still technically an option, even if it's not the most efficient.

     

    0
  • rambillo

    Not the most efficient? After reading the Apache docs cited, I have thoughts.

    https://httpd.apache.org/docs/trunk/howto/http2.html#mpm-config

    MPM Configuration

    HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions.

    In prefork, mod_http2 will only process one request at at time per connection. But clients, such as browsers, will send many requests at the same time. If one of these takes long to process (or is a long polling one), the other requests will stall.

    mod_http2 will not work around this limit by default. The reason is that prefork is today only chosen, if you run processing engines that are not prepared for multi-threading, e.g. will crash with more than one request.

    If your setup can handle it, configuring event mpm is nowadays the best one (if supported on your platform).

    If you are really stuck with prefork and want multiple requests, you can tweak the H2MinWorkers to make that possible. If it breaks, however, you own both parts.

    Hence some key reasons for trying to use event instead of prefork.

    Can you address question, please?  Is mod_mpm_event with mod_suexec (and jailed shell, but not CageFS because we're not on CloudLinux) just as secure as the mod_mpm_prefork, mod_ruid2, and jailed shell configuration?

    And if not, is there any way to bring the security level up with event with suexec to at least match that of prefork with ruid2?

    "Security by obscurity alone is discouraged and not recommended by standards bodies." - https://en.wikipedia.org/wiki/Security_through_obscurity

    0
  • cPRex Jurassic Moderator
    Ultimately no, you won't get the same amount of isolation with event and suexec as you do with prefork and ruid2.  If you had some filesystem isolation it would help, but then you're basically looking at CloudLinux.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post