Enabling jailed shell access results in internal server error

[Erik1]

I try to implement all recommendations from cPanel Security Advisor. But when I enable jailed shell access I get internal server error. What could be cause?

 

[quizknows]

Check the apache error log for details regarding the 500 error.

 

[Erik1]

File does not exist: /home/myaccount/public_html/500.shtml
File does not exist: /home/myaccount/public_html/404.shtml

 

[quizknows]

There's got to be more than that. Any 500 error should detail why it's being triggered on the line(s) before that.

 

[Erik1]

Evertime I reload the page this error is added, nothing more:
[Tue Dec 30 13:22:57 2014] [error] [client 84.197.217.112] File does not exist: /home/mydomain/public_html/500.shtml

 

[quizknows]

That is odd. I recommend opening a ticket with your hosting provider or with cPanel to investigate.

 

[Erik1]

Finally found the apache error:
[Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root?
[Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] Premature end of script headers: index.php


I also found this:

When converting to suPHP one of the common problems admins see is customer websites showing “internal server errors”. Many times this is caused by incorrect permissions being set on the files and directories. The below code will help correct these permission problems by setting PHP files to 0600, directories to 0711, and files/directories to the proper user.group.
cd /var/cpanel/users/
/scripts/chownpublichtmls
for i in *;do find /home/$i/public_html -iname "*.php" -exec chmod -v 600 {} \;; find /home/$i/public_html/ -type d -exec chmod -v 711 {}
I run the script but get message: This script was removed because it was not possible to use it securely.
For more information, please see our documentation at:
http://go.cpanel.net/chownpublichtmls.

But I also read messages about people running that script and breaking their sites.

Is it not easier just to disable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell? I enabled it to improve security.

 

[quizknows]

Sounds like a couple issues here. The SuPHP binary may be missing the suid flag,

[root@new /usr/local/apache/conf]# stat /opt/suphp/sbin/suphp
File: `/opt/suphp/sbin/suphp'
Size: 2815240 Blocks: 5512 IO Block: 4096 regular file
Device: fc03h/64515d Inode: 16247 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-12-30 18:12:38.000000000 -0500
Modify: 2014-11-12 16:38:27.000000000 -0500
Change: 2014-11-12 16:47:50.000000000 -0500

It should be 4755, not just 755.

File permissions should indeed be the correct user/group of the vhost (cPanel user) and equal to or less than 644 for files and 755 for directories.

Again, I recommend opening a ticket with your hosting provider or with cPanel to investigate.

 

[Erik1]

Thanks for your help! I did chat with support. They helped me but could not give exact solution. They said all changes are at my risk. I changed many settings to reduce the number of security warnings (installing Mod Ruid2, enabled EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell, enabling Apache Symlink Protection, ...). Now I changed suPHP to DSO, everything seems to work. I don't get any warnings in Security Advisor.

 

[quizknows]

Ah yes, with RUID2 you want DSO. Since Apache runs as the user ID already under RUID2, there's no need for SuPHP in that case as far as I know.

 

[keat63]

I had exactly this issue 2 weeks ago.
Mod_Ruid2 and suPHP cannot be run togther, it's ether one or the other but not both.

sorry i'd not seen your post earlier.

 

[cPanelMichael]

Hello

Please also note some additional compatibility issues with Mod_Ruid2 as documented here:

Mod_Ruid2

Thank you.