The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Do not have root privileges. Executable not set-uid root?

Discussion in 'Security' started by Spork Schivago, Jul 19, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hi.

    I just noticed I cannot get to my site at all. I'm looking at the /usr/local/apache/logs/error_log file and see a whole bunch of weird stuff. When I try going to my site, I get a Too many redirects error, however, I can still successfully access the WHM stuff.

    Here's what a snippet of the log looks like:
    Code:
    [Tue Jul 19 23:27:32.008113 2016] [mpm_prefork:notice] [pid 1005] AH00163: Apache/2.4.18 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Tue Jul 19 23:27:32.008165 2016] [core:notice] [pid 1005] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
    
    [Tue Jul 19 23:30:04.205266 2016] [:error] [pid 1059] [client my_home_ip:56057] SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root?
    
    [Tue Jul 19 23:30:04.205338 2016] [core:error] [pid 1059] [client my_home_ip:56057] End of script output before headers: index.php
    
    [Tue Jul 19 23:30:04.205890 2016] [:error] [pid 1059] [client my_home_ip] ModSecurity: Access denied with redirection to http://example.com/ using status 302 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES.conf"] [line "14"] [id "970901"] [rev "3"] [msg "The Application Returned a 500-Level Status Code"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: example.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-information disclosure"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "example.com"] [uri "/index.php"] [unique_id "V47wPGjudWkAAAQj9ukAAAAE"]
    

    Does anyone have any suggestions on what's wrong here? The SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root? line has me worried a bit.


    I also see at the bottom of the log:
    Code:
    [Tue Jul 19 23:31:11.502284 2016] [:error] [pid 1058] [client my_home_ip] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "example.com"] [uri "/index.php"] [unique_id "V47wf2judWkAAAQijwYAAAAD"]
    
    [Tue Jul 19 23:31:11.502390 2016] [:error] [pid 1058] [client my_home_ip] ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/audit/my_cpanel_username/20160719/20160719-2331 (Read-only file system) [hostname "example.com"] [uri "/index.php"] [unique_id "V47wf2judWkAAAQijwYAAAAD"]
    

    What did I mess up this time? Any suggestions are more than welcome. Thanks!
     
    #1 Spork Schivago, Jul 19, 2016
    Last edited by a moderator: Jul 20, 2016
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    This was crazy! Somehow, under Tweak Settings, there was some experiment feature turned on!!! No idea how that got turned on, it wasn't by me!!!! It was the EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell setting. Once I turned that off, it started working as expected again.

    The only issue now is the dreaded

    Code:
    ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied
    
    issue. I would really love to fix that so it doesn't fill the logs. If I could find away to do away with it, I would. I think it has something to do with converting IP addresses to city / country of origin. That thing drives me nuts!!!
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Mod Security rules that require DBM functionality are not compatible with Mod_Ruid2. You can find discussion of this topic on the following thread:

    Mod RUID 2 and ModSecurity

    There's also additional discussion of this topic in the comments section on the following feature request:

    modsec compatability with caching and Mod_ruid2 and mpm_itk

    Thank you.
     
    Spork Schivago likes this.
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thanks cPanelMichael. It's a problem with usernames and permissions, right? I mean, what's the best solution, in your opinion? Disable mod_ruid2 or disable mod_security?

    I see movielad says, "I've found the OWASP rules do not work properly when mod_ruid2 is enabled alongside the experimental Jailshell with Apache. If I recompile with suPHP and use that instead, no problem at all."

    I don't have the experimental Jailshell for Apache setup. Maybe he means he disables mod_ruid2 and then uses just suPHP instead?

    From my understanding, this is how mod_ruid2 works:
    Apache starts up with root privileges to bind to port 80 and 443 (if we have SSL). Then, because mod_ruid2 installed, it'll switch Apache over so it's running as the user who owns the domain. That way, if someone finds an exploit in Apache, they'll not get root access, just the domain user name's access.

    Mod_security on the other hand, that scans the traffic coming in for known attacks and other bad stuff. And then what? It blocks the people so they can't access my site ever, like csf / lfd? Or it just blocks the attack and let them continue trying to find other ways in? If there's away in that mod_security doesn't know about, and there's no rules setup to block that specific attack, if a hacker tries to get in, but the first attack they try gets blocked by mod_security, can they try again or are they completely blocked for good?

    To me, it seems modsecurity plays a more important role and perhaps I should disable mod_ruid2. But is there another alternative? Something else to use besides mod_ruid2?

    My understanding of suPHP is that it's very much like mod_ruid2, but instead of having Apache run as the domain owner's username, it executes PHP scripts as the domain owner's username. Not sure why movielad mentions suPHP. It seems that it has absolutely nothing to do with the problem. I'd imagine I could successfully have suPHP and mod_ruid2 enabled at the same time...

    I also see that people say I can just disable the mod_security rules that use DBM. What exactly is the DBM file for though? I couldn't find a lot of information on it but I didn't look for a very long time.

    What about setting some variables in /etc/httpd/conf/modsec2.user.conf file, like this:
    Code:
    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    SecRequestBodyAccess On
    
    And making /tmp/ip.dir and /tmp/ip.pag world writeable? Not necessarily the best option, but maybe better than disabling mod_ruid2 all together, right?
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    It seems disabling the Apache jail experimental feature wasn't the right solution because now, I have an e-mail that says:

    Code:
    Apache vhosts are not segmented or chroot()ed. Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”
    
    Info Apache Apache Symlink Protection: mod_ruid2 loaded in Apache mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. ReviewSymlink Race Condition Protection for further information.
    
    Does CloudLinux cost money? Maybe that's the way to go. The user is already set to jailshell, but enabling the Jail Apache features seems to break my site.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Cloudlinux is worth the money, otherwise I recommend not using RUID2 and just using the symlink patch in EasyApache, and of course, ModSecurity.

    After turning off ruid2 you may need to remove the collections file(s) and restart apache so that they're re-created with correct permissions. I.E. delete /var/cpanel/secdatadir/ip.dir and ip.pag and then restart apache.
     
    Spork Schivago likes this.
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    What exactly is it? It's different than leasing one of those cloud servers, right? Is it a feature I can set up with my GoDaddy VPS and just configure it through cPanel or something? Would I need more than one server? If you have any links, I'd appreciate it. I've found this: https://cloudlinux.com/

    It sounds a bit like that Microsoft Azure, which is really pricey for someone like me. Thanks!
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    CloudLinux replaces some core RPMs on centOS to make it better for shared hosting environments. Some VPS platforms support it, it depends on the virtualization. Your provider would know if it will work on your VPS. You would only need one server still.
     
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Thanks for the info. So I've decided at this point in time to disable mod RUID2 and enable the symlink patch. When I was scrolling through, I noticed there was a PostGRES PHP module that was enabled but had an exclamation point next to it because I don't have PostGRES installed. I don't want PostGRES installed but EasyApache 3 breaks if I disable that PHP module. Do I really need to have PostGRES installed alongside MariaDB? If so, do I have to go through all the stuff like configuring it (it seems to use MD5 for some cPanel stuff, which I think is a horrible idea because of how many collisions there are with MD5 now) and create a username?

    **EDIT: I've since moved this to the database section because it's more about PostgreSQL than anything else. I did see on the internet some users claimed they were running Apache in the jail and using mod RUID2. There's no way to have both enabled, eh? Like moving some files somewheres else and changing config options?
     
    #9 Spork Schivago, Jul 21, 2016
    Last edited: Jul 21, 2016
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hrmm, I don't understand why everytime I enable the Apache Jail and the mod RUID2 setting, my server stops working and I get lots of errors. Do I have to turn something else off? Like maybe pick something besides suPHP for the PHP handler or turn off suEXEC? I get error messages about too many redirects. The Apache sym link patch doesn't seem to be the best option. I get an e-mail complaining that it isn't the safest from the cPanel security advisor.

    The only way I can seem to get the Apache jail working is to have suPHP enabled with mod_RUID2 off. I'd like to keep mod_RUID2 on if I could but still use the jail without my site breaking.
     
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    If I have mod_RUID2 enabled, Apache Jail enabled, suEXEC on, suPHP disabled, DSO on (for the PHP Handler), the website works but there's errors in the log. Stuff like:
    Code:
    [Fri Jul 22 14:35:56.624015 2016] [:error] [pid 27028] [client home_ip_address] ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/audit/domain_name_owner's_username/20160722/20160722-1435 (Read-only file system) [hostname "jetbbs.com"] [uri "/index.php"] [unique_id "V5JnjGjudWkAAGmUVBgAAAAA"]
    So is RUID2 not just compatible with Apache Jail?
     
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    266
    Likes Received:
    20
    Trophy Points:
    18
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I think I figured it out. I upgraded to V58 and finally made the switch to EasyApache 4, which makes things a bit easier, because it prevents me from installing conflicting packages. I think I got a good provision or whatever they're called now. Ruid2 is disabled, suEXEC and suPHP are enabled and supposedly, modsecurity is enabled as well, but the logs aren't populating under the /audit directory for some reason. I'm wonder if there's anything I have to do. I notice the two files in /etc/apache2/conf.d/modsec are empty. I'm wondering if it's actually set up properly or if there's something else I need to do.
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I'm happy to see this particular issue is now addressed. Feel free to open a separate thread for the Mod_Security issue so we can take a closer look.

    Thank you.
     
Loading...

Share This Page