Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Jail Apache or disabled

Discussion in 'EasyApache' started by toplisek, Dec 6, 2017.

  1. toplisek

    toplisek Well-Known Member

    Joined:
    Jan 7, 2010
    Messages:
    128
    Likes Received:
    7
    Trophy Points:
    68
    I like to know if Enable “Jail Apache” and also change users to jailshell in the “Manage Shell Access” area will be better solution and advised as the current setting for users: Disabled Shell.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    No, that option is applied in both cases (jailed shell and disabled shell). There's no need to enable jailed shell access.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. toplisek

    toplisek Well-Known Member

    Joined:
    Jan 7, 2010
    Messages:
    128
    Likes Received:
    7
    Trophy Points:
    68
    Security Advisor> mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”.

    Also security issue:
    Apache vhosts are not segmented or chroot()ed. Enable “Jail Apache” in the Tweak settings and and change users to jailshell.

    What is actually the correct way in this examples?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, that's referring to the following option under the "Security" tab in "WHM >> Tweak Settings":

    EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.

    Per it's description:

    If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts (even mkdir on RHEL 5 and CentOS 5). Reading /proc/mounts can be quite expensive when it becomes large. We strongly recommend that you do not exceed 256 jailed users unless you use RHEL, CentOS, or CloudLinux™ 6 or higher.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. toplisek

    toplisek Well-Known Member

    Joined:
    Jan 7, 2010
    Messages:
    128
    Likes Received:
    7
    Trophy Points:
    68
    So, due to security is the best to disable mod_ruid2 in Apache.
    1. What will actually happen when I disable this option?
    2. Which command to use to disable this or perform inside WHM?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate further on how disabling Mod_Ruid2 is better for security? I want to make sure you are correctly understanding the previous responses.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice