Using LSAPI - Sec Advisor flags Apache vhosts - but mod_ruid2 not available
I need help fixing the "Apache vhosts are not segmented or chroot()ed." error flagged by Security Advisor.
I've replaced PHP-FPM with LSAPI on a Rocky Linux system. So I don't have mod_ruid2 - and if I understand correctly, I can't install it without removing LSAPI and returning to PHP-FPM. The experimental Jail Apache option is greyed out in Tweak Settings. However, I've enabled the "cPanel" Jail Shell, and all users are running in Jailed shell. But I'm still getting this red flag.
Is there something else I should be doing when using the LSAPI PHP handler to secure Apache vhosts and get rid of this error?
-
Quick followup. I'm on a VPS, and it turns out that some other Sec Advisor items may not be getting evaluating in a standard way against only my slice of the server. So it's possible that this red flag wouldn't appear if I were on a dedicated server using the same config. I just don't know.
I would still be interested in understanding what the correct recommended approach to jail shells is when using LSAPI with cPanel.0 -
Hey there! Do you have suexec installed? If so, this is a case we're tracking through CPANEL-41992, so let me know!
0 -
Yes, I have mod_suexec installed on all 4 PHP versions (8.1-8.4) provisioned using Easy Apache 4.
I basically followed the instructions provided by cPanel documentation here:
https://support.cpanel.net/hc/en-us/articles/360056146193-How-to-switch-from-PHP-FPM-to-the-LSAPI-handlerLSAPI is the default handler for all PHP versions, and PHP-FPM shows as unavailable in MultiPHP Manager.
0 -
Great - thanks for that information. Since you have Suexec installed you can ignore that warning for now as the vhosts are indeed protected.
1
Please sign in to leave a comment.
Comments
4 comments