Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[Case 72109] Jail Apache Virtual Hosts using mod_ruid2 and cPanel jailshell Error

Discussion in 'Security' started by Evolve, Jul 24, 2013.

  1. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    156
    Hello,

    I decided to switch over to mod_ruid2 and jailshell last night from suPHP. I went through all of my php.ini and htaccess files and had everything working before trying to enable Jail Apache Virtual Hosts. When I try to enable it I get the following error when trying to enable or disable the feature:
    It's blank after the colon.

    When I try to visit some of the sites i'm hosting some work and some don't. I get a 404 not found on some and 403 forbidden on others. Any ideas?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,384
    Likes Received:
    1,951
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Check to see if the following option is enabled under the "Domains" tab in "WHM Home » Server Configuration » Tweak Settings":

    "Thunderbird and Outlook autodiscover and autoconfig support (enables proxy subdomain and SRV record creation)"

    If it's not enabled, try enabling it and clicking on "Save" to see if the "Tweak Settings" page is able to update. If it does, you can go back in and disable this setting again.

    As far as the 404 errors, those are not likely related to this error. Check the Apache error log (/usr/local/apache/logs/error_log) for the specific error message when browsing these websites.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    156
    Hi Michael,

    I tried changing the setting for "Thunderbird and Outlook..." just to see if it would work and it gave me another error:
    It was not enabled when i went back into Tweak setting so I tried enabling it again and it seemed to work fine. Not sure what happened there.

    In my error log i'm seeing:
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,384
    Likes Received:
    1,951
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Check the permissions/ownership values on the public_html directory and the .htaccess file itself:

    Code:
    stat /home/username/public_html
    stat /home/username/public_html/.htaccess
    Ensure they match the standard permissions/ownership values that are used on other accounts.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    156
    Hi Michael,

    I took a look through a few of the accounts that had those errors and they appear to have the same settings as when they were under suPHP.

    public_html = 750 and the account owns it
    .htaccess = 640 and the account owns it

    I don't want to enable it again during the day and take my clients websites offline.

    I also found errors like this when jailshell was enabled:
    I should probably mention i'm on CentOS 5.9 but I only have around 40 accounts.
     
    #5 Evolve, Jul 24, 2013
    Last edited: Jul 24, 2013
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,384
    Likes Received:
    1,951
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please open a support ticket if you would like us to take a closer look:

    Submit A Ticket

    You can post the ticket number here and we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    156
    Ticket # 4302737
     
  8. Evolve

    Evolve Well-Known Member

    Joined:
    Jan 31, 2007
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    156
    It looks like this is a known bug for cPanel and it is being worked on.

    Even though the fix was easy enough to implement I ultimately decided to go back to suPHP and just install the Symlink Race Condition Protection patch through EasyApache so I could continue using mod_security. I look forward to the day when mod_ruid2 is more robust. I'll miss those low load averages I had for such a brief amount of time =P

    Thanks for your help Michael.
     
    #8 Evolve, Jul 24, 2013
    Last edited: Jul 24, 2013
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    89
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Proabably a good call. Running without modsecurity is ridiculous, no way I'll use mod_ruid2 in production until that's worked out. I literally cannot afford to run servers without modsecurity. I've gotten them to work together for the most part, but with settings I'm not really proud of.
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,384
    Likes Received:
    1,951
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    A resolution for case 72109 was implemented with cPanel version 11.38.2.0. This version is currently available in the "Current" build tier, and will work it's way down to the other build tiers over time per standard protocol. The change log is available at:

    cPanel - Change Log

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    Isn't there a huge performance impact with mod_security?
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    89
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It pretty well breaks ModSecurity. It's listed as incompatible in this information:

    Apache Module: Ruid2

    Until mod_ruid2 playes nicely with ModSecurity, there's absolutely no way I'd consider using ruid2. I have gotten it to work, but you have to make the logs world writeable so multiple UID's can write to them (among other "tweaks"), which is a huge step backwards and not something I'd advise. I had to in that case to defend a DoS attack against a server already running mod_ruid2.

    Personally, I lean toward cloudlinux with cagefs and securelinks on, and SuPHP. A lot friendlier and secure enough for most shared hosting applications.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice