[Case 72109] Jail Apache Virtual Hosts using mod_ruid2 and cPanel jailshell Error

[Evolve]

Hello,

I decided to switch over to mod_ruid2 and jailshell last night from suPHP. I went through all of my php.ini and htaccess files and had everything working before trying to enable Jail Apache Virtual Hosts. When I try to enable it I get the following error when trying to enable or disable the feature:

While trying to rectify your configuration for autodiscover_proxy_subdomains an error was encountered:

It's blank after the colon.

When I try to visit some of the sites i'm hosting some work and some don't. I get a 404 not found on some and 403 forbidden on others. Any ideas?

 

[cPanelMichael]

Hello

Check to see if the following option is enabled under the "Domains" tab in "WHM Home » Server Configuration » Tweak Settings":

"Thunderbird and Outlook autodiscover and autoconfig support (enables proxy subdomain and SRV record creation)"

If it's not enabled, try enabling it and clicking on "Save" to see if the "Tweak Settings" page is able to update. If it does, you can go back in and disable this setting again.

As far as the 404 errors, those are not likely related to this error. Check the Apache error log (/usr/local/apache/logs/error_log) for the specific error message when browsing these websites.

Thank you.

 

[Evolve]

Hi Michael,

I tried changing the setting for "Thunderbird and Outlook..." just to see if it would work and it gave me another error:

There was an error updating Thunderbird and Outlook autodiscover and autoconfig support (enables proxy subdomain and SRV record creation):

It was not enabled when i went back into Tweak setting so I tried enabling it again and it seemed to work fine. Not sure what happened there.

In my error log i'm seeing:

[error] mod_ruid2 www.clientdomain.com GET / HTTP/1.1 chdir to /home/virtfs/client failed
[crit] [client my.ip.address.here] (13)Permission denied: /home/client/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

 

[cPanelMichael]

Check the permissions/ownership values on the public_html directory and the .htaccess file itself:

stat /home/username/public_html
stat /home/username/public_html/.htaccess

Ensure they match the standard permissions/ownership values that are used on other accounts.

Thank you.

 

[Evolve]

Hi Michael,

I took a look through a few of the accounts that had those errors and they appear to have the same settings as when they were under suPHP.

public_html = 750 and the account owns it
.htaccess = 640 and the account owns it

I don't want to enable it again during the day and take my clients websites offline.

I also found errors like this when jailshell was enabled:

[error] [client my.ip.address.here] File does not exist: /home/client/public_html

I should probably mention i'm on CentOS 5.9 but I only have around 40 accounts.

 

[cPanelMichael]

Please open a support ticket if you would like us to take a closer look:

Submit A Ticket

You can post the ticket number here and we can update this thread with the outcome.

Thank you.

 

[Evolve]

Ticket # 4302737

 

[Evolve]

It looks like this is a known bug for cPanel and it is being worked on.

Thanks for contacting us. The problem you're seeing is almost certainly a bug for which we have an internal case, #72109. When the mod_ruid2 + jailed virtualhosts option is enabled, virtfs directories don't get created as needed. This explains both the failing chdir error, and the 'unable to check htaccess file' error.

The only known workaround at this point is to log into each users' shell account to ensure that the virtfs mount points get created before enabling jailed vhosts; alternately, forgo the use of jailed vhosts until case 72109 is resolved.

Even though the fix was easy enough to implement I ultimately decided to go back to suPHP and just install the Symlink Race Condition Protection patch through EasyApache so I could continue using mod_security. I look forward to the day when mod_ruid2 is more robust. I'll miss those low load averages I had for such a brief amount of time =P

Thanks for your help Michael.

 

[quizknows]

Proabably a good call. Running without modsecurity is ridiculous, no way I'll use mod_ruid2 in production until that's worked out. I literally cannot afford to run servers without modsecurity. I've gotten them to work together for the most part, but with settings I'm not really proud of.

 

[cPanelMichael]

A resolution for case 72109 was implemented with cPanel version 11.38.2.0. This version is currently available in the "Current" build tier, and will work it's way down to the other build tiers over time per standard protocol. The change log is available at:

cPanel - Change Log

Thank you.

 

[grayloon]

Isn't there a huge performance impact with mod_security?

 

[quizknows]

It pretty well breaks ModSecurity. It's listed as incompatible in this information:

Apache Module: Ruid2

Until mod_ruid2 playes nicely with ModSecurity, there's absolutely no way I'd consider using ruid2. I have gotten it to work, but you have to make the logs world writeable so multiple UID's can write to them (among other "tweaks"), which is a huge step backwards and not something I'd advise. I had to in that case to defend a DoS attack against a server already running mod_ruid2.

Personally, I lean toward cloudlinux with cagefs and securelinks on, and SuPHP. A lot friendlier and secure enough for most shared hosting applications.