Started Getting Apache vhosts are not segmented warning

jazee

• December 08, 2022 12:13

I just started getting a couple weeks ago this warning without making any changes to my config.

"Apache vhosts are not segmented or chroot()ed. Enable "mod_ruid2" in the "

Very few of the dozen or so accounts even have SSH access enabled. But one of them I SSH'd into. I could change to the home directory of one of the other accounts but can't view anything, says 'Permission Denied." I verified all scripts in all accounts are running PHP as the account user and not the 'nobody' user as I saw mentioned on a webpage about this warning. So what's the "real world" level of security risk I have leaving my config as-is? These are fairly obscure websites as opposed to well-known targets. There's not sensitive data like credit card social security numbers anywhere. And why did this only recently start to warn me?

• 

  ServerHealers

  • December 10, 2022 08:57

  Those messages on the Security Advisor page are only suggestions and not mandatory. cPanel do recommend taking steps to ensure Apache virtual hosts are segmented or chroot()ed. I'd suggest reading below forum thread, which answers all your queries: Jail Apache Virtual Hosts using mod_ruid2" tweak setting is experimental and may result in unintended consequences. For this reason, I'd recommend trying this setting in a test environment before enabling it on a production server. Alternatively, you could consider converting your server to CloudLinux to enable CageFS to secure your accounts instead of the experimental "Jail Apache Virtual Hosts using mod_ruid2" tweak setting.

  0
• 

  jazee

  • December 10, 2022 15:16

  ...may result in unintended consequences.

  
  This hits the nail on the head based on gut instinct of over 30 years SysAdmin experience. I think I may have one account this is running a script that has some dependency or needs access to some files outside the /home/{account name} directory. Enabling the jailshell I anticipated would probably just create more problems than it solves. In fact, as the saying goes, "if it's not broke, don't try to fix it." That is one of THE golden rules in SysAdmin. The problem is, I don't think there's a way I can turn off the warning for just this particular high priority issue notification. I would have to turn off all emails and I don't mind getting ones Cpanel considers high priority. Time is precious and I don't have time to futz around with a test server just to test this one issue. Maybe I'll do it when I move to a new server with AlamaLinux O/S next year. Kind of pissed they are sending recommendations to implement something largely considered experimental.

  0
• 

  Nathan Lyle

  • May 08, 2023 03:22

  The warning makes no sense as a "high" level warning.... Apache vhosts are not segmented or chroot()ed. Enable "mod_ruid2" in the "EasyApache 4" area, enable "Jail Apache" in the "Tweak Settings" area, and change users to jailshell in the "Manage Shell Access" area. Consider a more robust solution by using "CageFS on CloudLinux". Note that this may break the ability to access mailman via Apache." My accounts have access disabled by default, with only one set to jailed, none are actually open. But WHM keeps warning me I should enable an experimental feature. Given that I have "high" level warnings set to alert to my phone, this is a very annoying repetitive issue. It comes off like an ad for CageFS.

  0

Please sign in to leave a comment.