Symlink Protection Advisory
Hello,
After going through a series of posting regarding this advisory issue I think using the Mod Ruid/Jailshell configuration option would be our best option. We only host about 25 user accounts at this time. Our current setup now:
CENTOS 6.5
Cpanel/WHM Stable - WHM 11.42.1 (build 13)
Apache 2.2.27 w/Mod Security
PHP 5.4.28 w/suPHP
Is there any other issues I should be aware of before we run EasyApache to implement this Mod Ruid and Jailshell tweak settings? Will this have any direct affect to our user accounts?
I spent about 2 hrs this morning going through tons of messages posting on this issue and it's a bit confusing to figure out the pro & cons going this route. Any info our suggestions would be much appreciated.
Thanks,
-
Hello :) The following document includes helpful information about the compatibility of Mod_Ruid2 with other Apache modules: Apache Module: ModRuid2 Thank you. 0 -
thank you for the info. Mike 0 -
One other question comes up after reviewing the docs that Mod security log location is changed when Mod Ruid & Mod Security is complied. Will the mod security log still be accessible via the ConfigServer ModSecurity Control & WHM Mod Security add on interface?? Mike 0 -
I'm not sure that ConfigServer has implemented changes to support the change in the log location when Mod_Ruid2 is enabled, but you are welcome to consult with their support team if it does not function as expected: [url=http://configserver.com/support.html]ConfigServer Technical Support The Mod_Security plugin in Web Host Manager should function as expected. Let us know if that's not the case. Thank you. 0 -
Ok thanks. I posted this on their Support forum to see if this has been addressed or plan too. Their Mod Security Add-On is a very handy tool to have if your using Mod Security. Update: This is the Info posted from ConfigServer Technical Support Forum for those who maybe interested also: The rules for ModSecurity should still work. The processing of the ModSecurity logs will not.
Mike0 -
Good to know. Honestly on a production server that's already using SuPHP, I would rather just enable the "symlink race condition protection" in easyapache than make the switch to Mod_RUID2 with live sites. 0 -
[quote="quizknows, post: 1645642">Good to know. Honestly on a production server that's already using SuPHP, I would rather just enable the "symlink race condition protection" in easyapache than make the switch to Mod_RUID2 with live sites.
we where also looking at the option as a possibility. May I ask why you went that route instead of the Mod Ruid on a production server ? Right now we only host about 25-30 user accounts. thanks, Mike0 -
Mike, The reason I went that route is because there is slim to no chance of compatibility issues. You're basically just changing how symlinks are handled an that's it. The "patch" just makes sure any files being served belong to the correct owner. It provides good enough protection to stop cross-account symlink hacks. I've enabled the symlink race condition protection patch on countless production servers without downtime or issues. RUID2 on the other may cause problems with your sites or current apache configuration. It's not compatible with a lot of other modules or configurations. I'd definitely plan a decent maintenance window (at least a few hours) to allow yourself time to troubleshoot broken sites or configurations/modules if you try RUID2. [url=http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/ModRuid]Apache Module: Ruid2 0 -
Thanks for the additional info appreciate it. I was a bit leary using the Mod Ruid and wanted to get as much info as possible before I ran EasyApache. Don't really need any additional headaches, if I can avoid it, that's for sure. :) Mike 0
Please sign in to leave a comment.
Comments
9 comments