seb.witt

Member
Oct 21, 2018
5
0
1
Germany
cPanel Access Level
Root Administrator
Hello, so im hosted on a openvz vps centos 7.5.

I'm pretty new to all this, so forgive my lack of knowledge

Am I right that the only way to get
Code:
Apache vhosts are not segmented or chroot()ed
is by using mpm_prefork + ruid2? As i'd much rather stay with mpm_event and http2 support.

As for
Code:
Kernel does not support the prevention of symlink ownership attacks
This is according to my host not possible in an openvz container. Is there any workaround without switching the mpm like above?

I used symlinksifownermatch, but I suppose this doesn't really change anything. Also would love to avoid the bluehost patch set, which is supposed be less than ideal even leaving out the extra server load.

Is all this even important when just my own sites sit on the vps? Most likely it will just be a single site

Thank you
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Am I right that the only way to get
Code:
Apache vhosts are not segmented or chroot()ed
is by using mpm_prefork + ruid2? As i'd much rather stay with mpm_event and http2 support.
Hello,

That's correct. You'd need to use Mod_Ruid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option enabled in "WHM >> Tweak Settings" to address that warning (which would prevent you from using HTTP2).

The alternative is to purchase CloudLinux and use the included CageFS feature.

I used symlinksifownermatch, but I suppose this doesn't really change anything. Also would love to avoid the bluehost patch set, which is supposed be less than ideal even leaving out the extra server load.
We document the available options to address this warning at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

On an OpenVZ environment, the SecureLinks feature in CloudLinux is what you'd need to use:

CloudLinux - Main | New template

Thank you.