Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
New One thing I'd like to point out is because I'm running cPanel v60, the Bluehost patch is installed, albeit disabled, so I skipped the part that says Skip if not using the Bluehost patch.
Confused about this. I do not use Bluehost nor familiar with any of their patches. I have my own server colocated elsewhere (if that's what you're asking).

I'll check out the script now, thank you very much. I appreciate your kind help.
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
There's a vulnerability with Linux and symlinks. There's a race condition that can happen. There's various patches that can fix this problem. It really comes into play when you run a webserver where people can upload files. They can upload a symbolic link and gain access to files that they normally have no access to (ie, /etc/shadow).

One of the patches is made by Bluehost and it patches Apache. It doesn't patch PHP or anything else. Another patch is a kernel patch, which is better, because it fixes it for all programs. cPanel provides the Bluehost patch with EA3. You can turn it on or off. When you run the security advisor, if the Bluehost patch is turned off, it should give you a warning saying there's no symlink protection.

With EA4, they removed the Bluehost patch because there's better alternatives (ie, running CageFS or CloudLinux, using the kernel patch, etc). With cPanel v60 (and possibly v58), they've included the patch but it's disabled. To my knowledge, there isn't away to turn it on yet (if you're running EA4). But it's still installed, just disabled. The instructions say if you have it installed (and they don't mention if it's enabled or disabled).

If you're running cPanel of any version, you probably have some form of the patch, enabled or disabled.

What version of cPanel do you run? You run EA4, not EA3, right? I bet it's installed but not enabled. If you go to WHM >> Security Advisor, you can hit Scan Now or whatever it is, and if you see a message saying something along the lines of No Symlink Protection, you definitely don't have the patch. If you run the advisor and don't see any messages about not having symlink protection, if you didn't specifically patch your kernel and you're not running CloudLinux, you could probably assume you're using the Bluehost patch.

I hope this helps.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hrmm, I have the same setup. The same version of CentOS, EA4, cPanel / WHM 60.0.28. I have no third party patches installed but I receive:

Code:
Apache Symlink Protection is enabled
There's another way to gain symlink protection. It involves enabling Apache Jail Shell, among some other things, if memory serves. Maybe that's how I'm getting the protection? I dunno.

Anyway, I couldn't clone the repo that you need to clone if you don't have symlink protection enabled. Were you able to clone it?
Code:
mkdir -p /root/rpmbuild/temp
git clone https://github.com/Cacasap/apr.git /root/rpmbuild/temp
?

If not, perhaps that's why your build is failing. Maybe I do have the Bluehost patch enabled somehow and perhaps that's why my build succeeds? Whenever I run git clone on that repo, I'm asked for credentials.

Did you have a chance to look through the scripts? For what it's worth, you should never run a script without looking through it first, especially if someone in a forum gives it to you. You should go through and just look at the various commands, make sure everything's right. Even if the person doesn't mean to cause trouble, they might have a type like rm -rf / root/rpmbuild. That'd erase / and ./root/rpmbuild. Erasing / would be very bad!

Let me know if you see anything that looks wrong or if you need clarification on what some of the commands do in the script. At this point in time, I'd run it without changing the comments and see if it makes it past the step you were getting stuck on. I'd maybe edit the script and comment everything else out under that one step, just so it stops after processing that step where you were getting stuck, to verify it actually succeeds. I didn't do any error checking in the scripts. I just ran the commands and assumed they all worked. With the remove script, I didn't check to see if the files existed before removing them, so you might get a file not found message here or there.

Please let me know how it turns out for you and if it gets you any further. Thanks!
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
Guys, APR no longer needs to be built since Cpanel enabled the Bluehost patch. I removed it from my github and it's absent in my followup post with updated instructions.
Also looks like they finally got around to adding the UI component for it(symlink) under Apache config.

On another note, Apache has been updated to .25 and has an incompatibility with http2, causing it to segfault. This has been reported and patched in the Apache SVN. I've incorporated the fix in my Apache tar and I'll be updating the git later today, after testing the final git on a clean VM.
 
  • Like
Reactions: Spork Schivago

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
Anyway, I couldn't clone the repo that you need to clone if you don't have symlink protection enabled. Were you able to clone it?
I just tried with and without symlink protection, both times it requested user/pw. Strange, I don't recall seeing that the first time around.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Guys, APR no longer needs to be built since Cpanel enabled the Bluehost patch. I removed it from my github and it's absent in my followup post with updated instructions.
Also looks like they finally got around to adding the UI component for it(symlink) under Apache config.

On another note, Apache has been updated to .25 and has an incompatibility with http2, causing it to segfault. This has been reported and patched in the Apache SVN. I've incorporated the fix in my Apache tar and I'll be updating the git later today, after testing the final git on a clean VM.
Thanks for the update! Maybe I followed your follow up instructions. It wasn't until I started writing the script that I noticed the stuff for the Bluehost patch. I thought when I tried in the instructions on my CentOS installation, perhaps I skipped over them by accident.

So I'm a bit confused. I apologize if this is a naive question, but this gives us HTTP/2 support through Apache, right? I am interested in running that on my server. For some reason, I was thinking this was for another web server that I didn't want to run. Will cPanel replace the modified HTTP/2 version of Apache that your instructions build with the normal copy? How does this special version of Apache not conflict with the cPanel version of Apache? Thanks!
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I just tried with and without symlink protection, both times it requested user/pw. Strange, I don't recall seeing that the first time around.
You should have those lines commented out (with #'s). Did you comment them out? The ones that mention the bluehost symlink patch in the script? If so, you shouldn't be getting any prompts for authentication with the github repository, unless it's temporarily removed because of the segfault conditions.

Make sure the git clone statement is commented out (in the Bluehost section of the script) along with the lines below it, at least until the next section. All the lines in the bluehost patch section need a # in front of them.
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
Got tied up with work. 2.4.25 is up. This provides HTTP/2 through Apache and Cpanel updates will not affect it unless they update Apache to a new version, in which case I also follow suit. Gotta run!
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hrmm. RWH Tech, I talked to cPanel about this once and was under the impression they didn't plan on supporting HTTP/2 in Apache yet because they'd need to include a newer version of libopenssl. I was under the impression that including a newer version of openssl was a lot of work. But your steps were pretty painless and there really wasn't a lot of work, which makes me wonder why cPanel cannot simply provide a separate RPM for Apache with HTTP/2 support or why not just include the newer version of OpenSSL and Apache with HTTP/2 support and replace the current Apache RPM.

I wish there was a way to tell cPanel to always grab Apache from the local repository rather than from the cPanel repository, so no matter what, it'd always install your modified version. I know HTTP/2 is backwards compatible with HTTP, so you shouldn't have to rewrite your websites when you implement HTTP/2, but I wonder if there's any HTTP/2 specific stuff that you could use when writing your website. For example, could I write my website in such away where it works with HTTP/2 but does not work with HTTP/1? If so, then when cPanel replaces the HTTP/2 Apache with their non-HTTP/2 Apache, this could cause serious problems for some. Their website might not be accessible until they realize that Apache has been replaced and redo the various steps of yours.

Thanks for showing us how to do this. It's much appreciated. HTTP/2 is something I've wanted for a while now. I would have never figured this out on my own!
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
It took me a lot of work and time because I don't know what I'm doing and had to do a lot of googling, but cpanel could easily implement it, perhaps as a separate option on EA4 that would install the parallel OpenSSL and an Apache HTTP/2-enabled RPM.

I wish there was a way to tell cPanel to always grab Apache from the local repository rather than from the cPanel repository
I don't like this because if there's an Apache update that squashes something critical and I'm in the middle of a week-long drunken murder spree, then people will be exposed. Of course, this can also happen with OpenSSL.

I also don't know if there's anything HTTP/2-specific people can do to their sites that will break them with HTTP/1.1, perhaps some front-end person can chime in.
I'd say that anything that's HTTP2-specific not running on a HTTP2 server would just be ignored since the server would negotiate HTTP1.1 with the browser, but hey, what do I know?

Typically, I'll have Apache updated before Cpanel does, but this time I had to track down and find the fix for the segfault caused by some http2 .c file.

I also did HTTP/2 in EA3, back in the day, it's still up on my site and was a lot less fun to do, but worked reliably. Once I saw HTTP2 on EA4 was stable, I shared it here, figured I'd give something back.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
...I don't like this because if there's an Apache update that squashes something critical and I'm in the middle of a week-long drunken murder spree, then people will be exposed. Of course, this can also happen with OpenSSL.
Well, I was thinking of not even using your github repository and just grabbing the files manually. Is there something that needs to be changed in Apache or something? I haven't looked at your github commits but I'll browse through them. Essentially, just maintaining the updates myself on my own server, with cPanel not overwriting them.

If there are changes that need to be done to Apache (and I'd imagine there are, seeing how you're providing the software via a github repository, rather than linking to it directly), maybe it'd be beneficial to post what you did to the various packages, in case something ever happens and you cannot maintain the repository anymore. People would have the full set of instructions and be able to just download the various packages from their respective websites, make the necessary changes, configure and build the various packages and RPMs, and then install them.

...Typically, I'll have Apache updated before Cpanel does, but this time I had to track down and find the fix for the segfault caused by some http2 .c file.

I also did HTTP/2 in EA3, back in the day, it's still up on my site and was a lot less fun to do, but worked reliably. Once I saw HTTP2 on EA4 was stable, I shared it here, figured I'd give something back.
Cool and thank you very much for sharing.

When I got cPanel for the first time, I noticed the various webmail clients were a bit outdated. I found a way to get cPanel to install the latest versions by taking advantage of one of their scripts that was designed just to replace the default configuration with a custom configuration. I had it alway install my downloaded and custom configured versions after it installed the normal versions (Roundcube, Horde, etc). This worked well, but I stopped updating them and then one day, I went and checked, and cPanel actually was providing a newer version than what I was having installed, so I undid it and just decided to let cPanel handle the mail clients.

I should have shared with others though, so other people could have benefited from it.
 

RWH Tech

Well-Known Member
Oct 1, 2015
86
16
8
Brazil
cPanel Access Level
Root Administrator
The only time I've modified Apache was for this last update (2.4.25) to include a fixed whatever file that was (some .c file related to http/2). The fix is supposed to be backported from the Apache trunk, so it'll be fixed in .26 and the standard package can be used again.
I should've included it as a patch, instead of modifying the release archive, but I didn't have the time or patience to deal with it.

As far as the other changes, running a compare in github against the original spec will show what's been done.
The OpenSSL spec I grabbed from somewhere and modified.

I reckon eventually Cpanel will finally cave and add HTTP/2 support, then the project can be retired as you've retired yours.
The thing about sharing this stuff is that it needs to be stable and bulletproof, especially if you're a cranky admin who doesn't like holding hands.