Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache vhosts are not segmented or chroot()ed

Discussion in 'General Discussion' started by Nirjonadda, Jan 10, 2018.

  1. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    560
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    How to fix error: Apache vhosts are not segmented or chroot()ed? we have enabled Jailed Shell but error still are not removed.

    ScreenShot00063.png
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You'd need to use Mod_Ruid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option enabled in "WHM >> Tweak Settings". Or, you'd need to use CageFS with CloudLinux.

    Thank you.
     
  3. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    560
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So we need enable Mod_Ruid2 for use "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option enabled in "WHM >> Tweak Settings"? Ones enabled option "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 then Can disabled Mod_Ruid2?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    That's correct, you will need to enable both Mod_Ruid2 and the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option. Disable Mod_Ruid2 after enabling the option will automatically disable the option, as Mod_Ruid2 is required for it to work.

    Thank you.
     
  5. kwdamp

    kwdamp Active Member

    Joined:
    Dec 7, 2017
    Messages:
    27
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    It sounded like maybe he was asking more DO we need to enable...

    I'm wondering the same thing. This warning shows as critical on the list from the system analyzer, yet it seems like this is not a security issue or setting included in the base setup, but more of a hack/fix.

    So: is it something that should absolutely be done on our dedicated servers? Or is it something that is really only necessary on shared servers with potentially malicious users?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @kwdamp,

    Good question! We do recommend taking steps to ensure Apache virtual hosts are segmented or chroot()ed. While Mod_Ruid2 and the "Jail Apache" option together is one way to achieve this, using CageFS with CloudLinux is ideal if you are able to purchase a CloudLinux license. Note we have an internal case (SWAT-733) open to ensure that specific Security Advisor alert reflects the fact that Mod_Ruid2 is required in order to use the "Jail Apache" option.

    Thank you.
     
    kwdamp likes this.
  7. PeteS

    PeteS Well-Known Member

    Joined:
    Jun 8, 2017
    Messages:
    84
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Is it correct that this risk only exists if malicious users exist on the server (whether they get in by hacking an account login or have one assigned to them)?

    The scenario I'm referring in particular is a dedicated server, where all accounts are under my control, and all user accounts are set to "Disabled Shell" in Home »Account Functions »Manage Shell Access. Doesn't that eliminate the concern entirely?

    Please advise...
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    That's correct. Though do note that disabling shell access to the account doesn't mitigate the issue.

    Thank you.
     
  9. PeteS

    PeteS Well-Known Member

    Joined:
    Jun 8, 2017
    Messages:
    84
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Oregon
    cPanel Access Level:
    Root Administrator
    Good point. I shouldn't have even mentioned the shell access setting. This doesn't represent an immediate concern for me because I am the only user, that could change in the future, and I'm sure for many others this is a current concern. Which leads me to this question:

    HTTP/2 seems to be a forward looking standard but enabling mod_HTTP/2 requires the removal of mod_ruid2. Therefore are we to understand that the only available solution is to purchase and run CloudLinux? Is it really the case that if you want to move to HTTP/2 and don't want to run CouldLinux you're just stuck with a security hole, or is there more to this story?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    That's correct. Without the Ruid2/Jail Apache functionality (which doesn't allow the use of HTTP/2), the only supported alternate solution at this point in time is to use a third-party product such as CloudLinux.

    Thank you.
     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,601
    Likes Received:
    64
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    What about chrooting in a php-fpm environment. There's some discussion scattered throughout the the Feature Request for Enhanced FPM Support, but specifically:

    Enhance FPM support

    Has this been completely abandoned?

    The jailmount for cPanel needs a little bit of work (it doesn't mount everything). I'm pretty sure I've mentioned that some where, but I can't remember where.

    This doesn't solve CGI execution. Although that could be improved and possibly solved with some help from cPanel and Apache.

    This doesn't provide complete isolation like CloudLinux does. But, how else do end users execute code in a shared hosting environment? Shell (jailshell solves this) or PHP (chroot'd php-fpm solves this) or CGI (no current solution). How much is CGI actually used any more?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @sparek-3

    Per our PHP FPM User Pools document:

    Thus, even when using PHP-FPM, Mod_Ruid2 and the "Experimental: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option are still required so the system automatically binds the user pool to the virtfs mount.

    Thank you.
     
  13. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,601
    Likes Received:
    64
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    You may want to double check this.

    Mod_Ruid2 and the "Experimental: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" aren't required for PHP-FPM to run in a chroot'd environment. At least not in what I have tested.

    Using PHP-FPM and creating the /var/cpanel/feature_toggles/apachefpmjail file and insuring that the user is using noshell or jailshell as their shell, executes PHP through the php-fpm socket for that user in a chroot'd environment.

    Perhaps I have my system misconfigured? If so, I don't want to fix it.

    Granted, the jailmount that cPanel's modified php-fpm binary does to run the code in the chroot leaves a bit to be desired - it doesn't fully mount the /home/virtfs/%user% path. (The fix: login as the user using jailshell, and the path gets fully populated). But other than that, it seems to operate just as expected.

    I've often wondered why this didn't get much fanfare, but perhaps that's because the right hand doesn't know what the left hand is doing.

    One of the key features of CloudLinux is the CageFS system. But cPanel essentially has the same thing already baked in, with their jail system. But for whatever reason cPanel doesn't want to expand on this jail system and seems to just want to to forget that it's there, and then push people over to CloudLinux for CageFS.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    While it's not required, we recommend enabling the Experimental: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell option. When PHP-FPM jails are active (e.g. /var/cpanel/feature_toggles/apachefpmjail exists and noshell or jailshell is enabled for a user), it causes PHP-FPM to attempt to chroot to virtfs for that user. However, it only verifies the jail is mounted (as opposed to fully setup and populated). This presents a problem when Mod_Ruid2 and the Experimental: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell option are not enabled because PHP-FPM can potentially attempt to chroot into an incomplete jail environment. Internal case EA-5524 is open to address this behavior.

    Thank you.
     
Loading...

Share This Page