Security Implications of Mod_Userdir
I am coming back to cpanel after being with Interworx for that past 3 years. It seems like Mod_Ruid2 was enabled by default, which disabled mod_userdir so I can't easily use temporary directory's for new customers now.
I know I can have them edit their hosts file to fix the issue...but that's a bit to expect from a new customer (though depending on security issues I might go that route). Is there any reason to be using mod_ruid2 instead of mod_userdir that makes it worth losing out of the temp domain feature?
-
AFAIK, the main reasons to use mod_ruid2 are for Symlink Race Condition Protection and to have PHP processes run under the users' accounts without running suPHP. There are some drawbacks to using mod_ruid2 beyond just the inability to use mod_userdir. Until cPanel v.58.0.30, mod_ruid2 interfered with mod_security writing to the audit logs by user. That's supposed to be fixed, but there is still a conflict that prevents any of the mod_security rules that use data persistence--like those preventing brute force login attempts--from writing to the DBM files that breaks important parts of mod_security. That was enough for me to quit using mod_ruid2 and look for alternative symlink race condition protections. 0 -
Hello, In addition to the previous post, we also document some of the security implications of using Mod_Userdir at: Apache mod_userdir Tweak - Documentation - cPanel Documentation Let us know if you have any additional questions. Thanks! 0
Please sign in to leave a comment.
Comments
2 comments