Privileges problem after enabling HTTP2
Helo, 2 days ago, i decided to enable http2 in easypache4 which was not an easy task due to modules conflicts. Since then, i needed to change some files privileges (chmod) because some of my plugin on our website add some files to a /file folder which add nobody:nobody chmod 755 before and it was working fine!
Now i need to set "others" to have write privileges(757) to the /file folder which i dont think is super safe unless someone tell me otherwise.
I'll list some usefull modules informations with in bold, the affected package...packages absent in the second list from the first one are those who are disabled due to conflict with http2.
Here is the old setup:
- mod_cgi
- mod_mpm_prefork
- php70-php
- php70-php-fpm
- mod_proxy_fcgi
- mod_suexec
- mod_cgid
- mod_mpm_event
- mod_http2
- mod_suphp
- php70-php-fpm
- mod_proxy_fcgi
- mod_suexec
-
What http2 module are you referring to? I've experimented with the EA4 http2 module on a few servers. I'm not aware of any issues, but maybe I'm not looking in the right spot. Apache Module: HTTP2 - EasyApache 4 - cPanel Documentation 0 -
I did disabled mod_suPHP but it changed nothing at all sadly... I dont know what else i can do to fix this security issue! When using ftp with the user I set on the /file folder its working perfectly fine! But it seems like it doesnt use the right user when its with apache (while using our filemanager plugin/fileuploader)... is there a way to test which one it uses? I already ran the function get_current_user() which return the script owner which also is the good user matching with my /file privileges. 0 -
Hi @Morphime Please feel free to open a ticket using the link in my signature so that we can look into this further. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks! 0 -
Ticket ID: 11490523 0 -
Hi @Morphime Thanks! I'm following that ticket and I'll update this thread with the outcome. 0 -
A little update on my side, even after opening a ticket and talking to a cpanel support member, the problem persist... i got sggested to go back to http1.1... I also noticed even my cpanel backups have some privileges issue now. backup seems fine on the server itself but when transferer to an additionnal destination using sftp, same privileges problem persist. I really wanted http2 but seems like theres too many bugs with privileges problem with cgi so i might really consider going back to http1.1 0 -
Another update... somehow, chown user:user started working randomly today... everything seems to be fixed but "FOR HOW LONG" ? I'm gonna keep making test and monitor all those privileges problems but it seem inconsistant. I didnt touch anything during the weekend and this morning but now its working. 0 -
Hi @Morphime I'm really glad to hear it's working, if you do experience any further issues with this I'd like to see if you can please open a ticket. You can do so with the link in my signature. Thanks! 0 -
Hi sparek, bit of a noobie user here. Could you tell me how you're utilising HTTP2 whilst keeping your apache jailed?
If you are using php-fpm, then you can force PHP to run under the jail shell chroot for the user by creating the file: touch /var/cpanel/feature_toggles/apachefpmjail But the jail shell environment provided by cPanel, leaves a little bit to be desired. And for whatever reason, all of the development on this seems to have been dropped by cPanel. I don't know why. This is a a pretty clever little thing they've got - it needs a little bit of tweaking... but for whatever reason cPanel seems to want to focus on... actually I have no idea what they are focusing on. This will only execute PHP in a jail shelled chroot. It doesn't actually jail the entire Apache process... but it'll work for the vast majority of keeping PHP users in line.0
Please sign in to leave a comment.
Comments
13 comments