Security advisor warning about enabling suexec
Hi,
I just upgraded my OS from Ubuntu 20 to 22 and cpanel from 118 to 126, all latest.
Now the security advisor is stating:
"
Important
suEXEC is disabled.
Enable suEXEC on the “Configure PHP and suEXEC” page.
"
Clicking the link of “Configure PHP and suEXEC” leads to a plain text error of "The EasyApache4 Technology Preview needs to be configured via command-line tools. The WHM user interface does not currently support this Technology Preview."
Going to the "MultiPHP Manager" page shows I use only one PHP version, PHP-FPM is enabled and the php handler is suphp.
So, what should I do here?
-
Hey there! Is it possible that your server has the WHM >> Tweak Settings >> Enable File Protect option turned on? If so, you could keep that enabled and just install mod_suexec through EasyApache 4 to resolve the issue.
0 -
Thank you cPRex.
I see there is an alternative for suexec called ruid2, that is considered faster than suexec but may be incompatible with mod_security (I have mod-security2 enabled).
I read it here - https://www.domainindia.com/login/knowledgebase/689/-Mastering-Apache-Execution-Models-The-Ultimate-Comprehensive-Guide.htmlWhat should I choose between the two? (I use the CP solo edition)
0 -
Those compatibility issues have been resolved for some time, so you're free to choose whatever option you think will work best for your system.
0 -
Great, thank you.
And if I will choose to use ruid2 - the security advisor scanner won't alert me again that suexec is missing (as I will remove it)? it will know that ruid2 is replacing it?
0 -
Correct - it should detect that and then stop the warning.
0 -
Awesome, thanks a lot!!!
0 -
You're very welcome!
0 -
Hi cPRex, this article (last updated 2 months ago) repeats the mod_security incompatibility claim, and the linked fix (updated 1 year ago) is to disable mod_ruid2.
Would you mind confirming if this is still true or not? If this information is out of date, is it possible to update these articles? It is really confusing to know which of the options are recommended.
--
I've just tested this out on a new server - a brand new cPanel install on AlmaLinux 9 with a trial license and the default EasyApache 4 configuration. I installed my custom mod_security rule set, which uses DBM collections for IP rate limiting.
It looks like the issue still exists:
[security2:error] [pid 33494:tid 33494] [client 1.2.3.4:11464] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/myusername-ip": Permission denied [hostname "testing.example.com"] [uri "/testfile"] [unique_id "aKFJgyOzf0MPSxOPF6pJbAAAAAQ"]
The PID is the httpd process running as nobody, which does have permission to create files in /var/cpanel/secdatadir, so I'm not sure why it's getting a permission denied error. However it is trying to create collection databases based on the username of the virtual host's owner. With mod_suphp it uses 'nobody-ip' and so I assume that the collection applies to all users. I guess there might be situations where you'd want per-user collections rather than per-server.
I also tried turning 'Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell' on (off by default), as some other old threads mentioned this. This did not help.
Either way, I don't think mod_ruid2 is compatible with mod_security in 2025 - unless perhaps you are not using collections at all.
0 -
Apparently the answer is "it's complicated" which really doesn't help things.
My homework today has turned up articles saying specific rulesets cause an issue, and others (such as CloudLinux) saying it's not compatible without making customizations that could compromise security:
so at this point it seems there are still compatibility issues to be aware of.
0 -
Thanks cPRex!
Yes, at this point I don't think it's possible to use mod_ruid2.. unless you are not using mod_security or only have a rather simple rule set.
0 -
I am getting the same warning as the OP on WHM 130.0.16. I can't find any "Configure PHP and suEXEC". In EA4 I have mod_suphp installed and all PHP versions in MultiPHP Manager are set to suphp.
What is the problem and what should I do? Thanks!
0 -
It looks like this is now related to case CPANEL-46538, which our team is currently working on, but I don't have any fix available just yet. Are you able to submit a ticket on this one?
0
Please sign in to leave a comment.
Comments
12 comments