The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Enabling jailed shell access results in internal server error

Discussion in 'Security' started by Erik1, Dec 30, 2014.

  1. Erik1

    Erik1 Member

    Joined:
    Dec 13, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I try to implement all recommendations from cPanel Security Advisor. But when I enable jailed shell access I get internal server error. What could be cause?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check the apache error log for details regarding the 500 error.
     
  3. Erik1

    Erik1 Member

    Joined:
    Dec 13, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    File does not exist: /home/myaccount/public_html/500.shtml
    File does not exist: /home/myaccount/public_html/404.shtml
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    There's got to be more than that. Any 500 error should detail why it's being triggered on the line(s) before that.
     
  5. Erik1

    Erik1 Member

    Joined:
    Dec 13, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Evertime I reload the page this error is added, nothing more:
    [Tue Dec 30 13:22:57 2014] [error] [client 84.197.217.112] File does not exist: /home/mydomain/public_html/500.shtml
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That is odd. I recommend opening a ticket with your hosting provider or with cPanel to investigate.
     
  7. Erik1

    Erik1 Member

    Joined:
    Dec 13, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Finally found the apache error:
    [Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root?
    [Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] Premature end of script headers: index.php


    I also found this:

    But I also read messages about people running that script and breaking their sites.

    Is it not easier just to disable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell? I enabled it to improve security.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Sounds like a couple issues here. The SuPHP binary may be missing the suid flag,

    [root@new /usr/local/apache/conf]# stat /opt/suphp/sbin/suphp
    File: `/opt/suphp/sbin/suphp'
    Size: 2815240 Blocks: 5512 IO Block: 4096 regular file
    Device: fc03h/64515d Inode: 16247 Links: 1
    Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
    Access: 2014-12-30 18:12:38.000000000 -0500
    Modify: 2014-11-12 16:38:27.000000000 -0500
    Change: 2014-11-12 16:47:50.000000000 -0500

    It should be 4755, not just 755.

    File permissions should indeed be the correct user/group of the vhost (cPanel user) and equal to or less than 644 for files and 755 for directories.

    Again, I recommend opening a ticket with your hosting provider or with cPanel to investigate.
     
  9. Erik1

    Erik1 Member

    Joined:
    Dec 13, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your help! I did chat with support. They helped me but could not give exact solution. They said all changes are at my risk. I changed many settings to reduce the number of security warnings (installing Mod Ruid2, enabled EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell, enabling Apache Symlink Protection, ...). Now I changed suPHP to DSO, everything seems to work. I don't get any warnings in Security Advisor.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Ah yes, with RUID2 you want DSO. Since Apache runs as the user ID already under RUID2, there's no need for SuPHP in that case as far as I know.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I had exactly this issue 2 weeks ago.
    Mod_Ruid2 and suPHP cannot be run togther, it's ether one or the other but not both.

    sorry i'd not seen your post earlier.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,834
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page