The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sec. Advisor: Apache Symlink Protection: mod_ruid2 loaded in Apache

Discussion in 'Security' started by postcd, Sep 12, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    1k3H1.jpg

    How can i fix these erros returned by WHM security advisor please?

    I have Apache: 2.2.27
    Default PHP Version (.php files) 5
    PHP 5 Handler suphp
    Apache suEXEC on
    Apache Ruid2 on
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,683
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    yes, im sorry, i dont understand this:

    "This is less optional"

    and regarding second (mod_ruid2)

    im not sure what it do this option "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. [?]" in Server Configuration »Tweak Settings, Security tab..
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,683
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Less than optimal means that while the patch might help some, it's safer to use the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" feature included with cPanel. Per it's description:

    If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts (even mkdir on RHEL 5 and CentOS 5). Reading /proc/mounts can be quite expensive when it becomes large. It is highly recommended that you do not exceed 256 jailed users unless you are using RHEL 6 or CentOS 6.

    Thank you.
     
  5. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Thanks Michael,
    would be handy if WHM developers add some tooltips to their claims. Example, i mouse over phrasse "This is less optional" and it can show bubble with explanation why or link to article explanation.

    Regarding mod_ruid2 is there anywere explained in simple phrasses on what it do. Im asking because i dont understand explanation you just pasted - "user has their shell set to jailshell or noshell" if u can explain that in other words. thanks
     
  6. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    That is regarding the shell, when the user account have access to connect to the server by ssh for example using putty.

    the jailshell or noshell options are a way to restrict how much the user can do inside the system, as a example with a normal shell the user can read or maybe write in some files inside the server or in other user accounts when the permissions are weak or using another service or script that can bypass that permission security (chmod chown)

    with jailshell there is a new layer, the user still can access many things but he is running in a new mount or a kind of virtual disk that stick the changes created from the user to their own user account and settings, without affecting the entire server or other user folders (in theory) nothing is 100% safe

    noshell is quite restricted mostly to use SFTP, maybe tunneling, not sure but you can imagine just few ssh features allowed in this mode.

    there are another 'shells' script shells that use advanced functions from php, perl etc and that is handled (from the security point of view) as the same shell of the user, normal, jailshell, noshell but with some differences.

    Everything is related of what happen if you try to read another files or folders outside your account, you can try as example (black hat point of view)

    from putty
    Code:
    cat '/home/notyouruser/public_html/wp-config.php'
    from php
    Code:
    echo file_get_content('/home/notyouruser/public_html/wp-config.php');
    from php using shell functions (back tick)
    Code:
    echo `cat '/home/notyouruser/public_html/wp-config.php'`;
    or using '/etc/named.conf' instead of '/home/notyouruser/public_html/wp-config.php' that should be the first that a hacker will try to look at

    And inclusive having all this in mind the symlink race can bypass any of these restrictions.
    the difference with the mod_ruid2 and the patches, is that ruid2 stop any symlink race where the patches catch the symlinks attempt and report them and take actions but the symlink race condition exist with the patches so maybe are still vulnerable in other way.

    And it's depend of the configuration and how you are running php suphp, fastcgi, cgi or mod_php in your servers, and other settings like opendir from php or from apache.
     
    #6 ITGabs, Sep 14, 2014
    Last edited: Sep 14, 2014
  7. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    thx for your input, so if i understand properly, if i dont enabling SSH access for any cpanel accounts, i dont need to care about WHM option "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell."
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,683
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    No, that is not accurate. This option includes accounts set to "noshell", meaning no shell access granted.

    If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts (even mkdir on RHEL 5 and CentOS 5). Reading /proc/mounts can be quite expensive when it becomes large. It is highly recommended that you do not exceed 256 jailed users unless you are using RHEL 6 or CentOS 6.

    Thank you.
     
Loading...

Share This Page