Enabling jailed shell access results in internal server error

Erik1

Member
Dec 13, 2014
24
1
3
cPanel Access Level
Root Administrator
I try to implement all recommendations from cPanel Security Advisor. But when I enable jailed shell access I get internal server error. What could be cause?
 

Erik1

Member
Dec 13, 2014
24
1
3
cPanel Access Level
Root Administrator
Evertime I reload the page this error is added, nothing more:
[Tue Dec 30 13:22:57 2014] [error] [client 84.197.217.112] File does not exist: /home/mydomain/public_html/500.shtml
 

Erik1

Member
Dec 13, 2014
24
1
3
cPanel Access Level
Root Administrator
Finally found the apache error:
[Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root?
[Wed Dec 31 06:46:55 2014] [error] [client 64.202.160.161] Premature end of script headers: index.php


I also found this:

When converting to suPHP one of the common problems admins see is customer websites showing “internal server errors”. Many times this is caused by incorrect permissions being set on the files and directories. The below code will help correct these permission problems by setting PHP files to 0600, directories to 0711, and files/directories to the proper user.group.
cd /var/cpanel/users/
/scripts/chownpublichtmls
for i in *;do find /home/$i/public_html -iname "*.php" -exec chmod -v 600 {} \;; find /home/$i/public_html/ -type d -exec chmod -v 711 {}
I run the script but get message: This script was removed because it was not possible to use it securely.
For more information, please see our documentation at:
http://go.cpanel.net/chownpublichtmls.
But I also read messages about people running that script and breaking their sites.

Is it not easier just to disable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell? I enabled it to improve security.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Sounds like a couple issues here. The SuPHP binary may be missing the suid flag,

[[email protected] /usr/local/apache/conf]# stat /opt/suphp/sbin/suphp
File: `/opt/suphp/sbin/suphp'
Size: 2815240 Blocks: 5512 IO Block: 4096 regular file
Device: fc03h/64515d Inode: 16247 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-12-30 18:12:38.000000000 -0500
Modify: 2014-11-12 16:38:27.000000000 -0500
Change: 2014-11-12 16:47:50.000000000 -0500

It should be 4755, not just 755.

File permissions should indeed be the correct user/group of the vhost (cPanel user) and equal to or less than 644 for files and 755 for directories.

Again, I recommend opening a ticket with your hosting provider or with cPanel to investigate.
 

Erik1

Member
Dec 13, 2014
24
1
3
cPanel Access Level
Root Administrator
Thanks for your help! I did chat with support. They helped me but could not give exact solution. They said all changes are at my risk. I changed many settings to reduce the number of security warnings (installing Mod Ruid2, enabled EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell, enabling Apache Symlink Protection, ...). Now I changed suPHP to DSO, everything seems to work. I don't get any warnings in Security Advisor.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Ah yes, with RUID2 you want DSO. Since Apache runs as the user ID already under RUID2, there's no need for SuPHP in that case as far as I know.
 

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
I had exactly this issue 2 weeks ago.
Mod_Ruid2 and suPHP cannot be run togther, it's ether one or the other but not both.

sorry i'd not seen your post earlier.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello :)

Please also note some additional compatibility issues with Mod_Ruid2 as documented here:

Mod_Ruid2

Thank you.