Sec. Advisor: Apache Symlink Protection: mod_ruid2 loaded in Apache

postcd

Well-Known Member
Oct 22, 2010
721
20
68
1k3H1.jpg

How can i fix these erros returned by WHM security advisor please?

I have Apache: 2.2.27
Default PHP Version (.php files) 5
PHP 5 Handler suphp
Apache suEXEC on
Apache Ruid2 on
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello :)

Could you let us know which part of those messages you are unsure about?

Thank you.
 

postcd

Well-Known Member
Oct 22, 2010
721
20
68
Hello :)

Could you let us know which part of those messages you are unsure about?

Thank you.
yes, im sorry, i dont understand this:

"This is less optional"

and regarding second (mod_ruid2)

im not sure what it do this option "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. [?]" in Server Configuration »Tweak Settings, Security tab..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello :)

Less than optimal means that while the patch might help some, it's safer to use the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" feature included with cPanel. Per it's description:

If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts (even mkdir on RHEL 5 and CentOS 5). Reading /proc/mounts can be quite expensive when it becomes large. It is highly recommended that you do not exceed 256 jailed users unless you are using RHEL 6 or CentOS 6.

Thank you.
 

postcd

Well-Known Member
Oct 22, 2010
721
20
68
Thanks Michael,
would be handy if WHM developers add some tooltips to their claims. Example, i mouse over phrasse "This is less optional" and it can show bubble with explanation why or link to article explanation.

Regarding mod_ruid2 is there anywere explained in simple phrasses on what it do. Im asking because i dont understand explanation you just pasted - "user has their shell set to jailshell or noshell" if u can explain that in other words. thanks
 

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
That is regarding the shell, when the user account have access to connect to the server by ssh for example using putty.

the jailshell or noshell options are a way to restrict how much the user can do inside the system, as a example with a normal shell the user can read or maybe write in some files inside the server or in other user accounts when the permissions are weak or using another service or script that can bypass that permission security (chmod chown)

with jailshell there is a new layer, the user still can access many things but he is running in a new mount or a kind of virtual disk that stick the changes created from the user to their own user account and settings, without affecting the entire server or other user folders (in theory) nothing is 100% safe

noshell is quite restricted mostly to use SFTP, maybe tunneling, not sure but you can imagine just few ssh features allowed in this mode.

there are another 'shells' script shells that use advanced functions from php, perl etc and that is handled (from the security point of view) as the same shell of the user, normal, jailshell, noshell but with some differences.

Everything is related of what happen if you try to read another files or folders outside your account, you can try as example (black hat point of view)

from putty
Code:
cat '/home/notyouruser/public_html/wp-config.php'
from php
Code:
echo file_get_content('/home/notyouruser/public_html/wp-config.php');
from php using shell functions (back tick)
Code:
echo `cat '/home/notyouruser/public_html/wp-config.php'`;
or using '/etc/named.conf' instead of '/home/notyouruser/public_html/wp-config.php' that should be the first that a hacker will try to look at

And inclusive having all this in mind the symlink race can bypass any of these restrictions.
the difference with the mod_ruid2 and the patches, is that ruid2 stop any symlink race where the patches catch the symlinks attempt and report them and take actions but the symlink race condition exist with the patches so maybe are still vulnerable in other way.

And it's depend of the configuration and how you are running php suphp, fastcgi, cgi or mod_php in your servers, and other settings like opendir from php or from apache.
 
Last edited:

postcd

Well-Known Member
Oct 22, 2010
721
20
68
thx for your input, so if i understand properly, if i dont enabling SSH access for any cpanel accounts, i dont need to care about WHM option "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell."
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
thx for your input, so if i understand properly, if i dont enabling SSH access for any cpanel accounts, i dont need to care about WHM option "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell."
No, that is not accurate. This option includes accounts set to "noshell", meaning no shell access granted.

If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts (even mkdir on RHEL 5 and CentOS 5). Reading /proc/mounts can be quite expensive when it becomes large. It is highly recommended that you do not exceed 256 jailed users unless you are using RHEL 6 or CentOS 6.

Thank you.