Started Getting Apache vhosts are not segmented warning

[jazee]

I just started getting a couple weeks ago this warning without making any changes to my config.

"Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache."

Very few of the dozen or so accounts even have SSH access enabled. But one of them I SSH'd into. I could change to the home directory of one of the other accounts but can't view anything, says 'Permission Denied."

I verified all scripts in all accounts are running PHP as the account user and not the 'nobody' user as I saw mentioned on a webpage about this warning.

So what's the "real world" level of security risk I have leaving my config as-is? These are fairly obscure websites as opposed to well-known targets. There's not sensitive data like credit card social security numbers anywhere. And why did this only recently start to warn me?

 

[ServerHealers]

Those messages on the Security Advisor page are only suggestions and not mandatory. cPanel do recommend taking steps to ensure Apache virtual hosts are segmented or chroot()ed. I'd suggest reading below forum thread, which answers all your queries:

Apache vhosts are not segmented or chroot()ed

How to fix error: Apache vhosts are not segmented or chroot()ed? we have enabled Jailed Shell but error still are not removed.

forums.cpanel.net

The "Jail Apache Virtual Hosts using mod_ruid2" tweak setting is experimental and may result in unintended consequences. For this reason, I'd recommend trying this setting in a test environment before enabling it on a production server. Alternatively, you could consider converting your server to CloudLinux to enable CageFS to secure your accounts instead of the experimental "Jail Apache Virtual Hosts using mod_ruid2" tweak setting.

 

[jazee]

...may result in unintended consequences.

This hits the nail on the head based on gut instinct of over 30 years SysAdmin experience. I think I may have one account this is running a script that has some dependency or needs access to some files outside the /home/{account name} directory. Enabling the jailshell I anticipated would probably just create more problems than it solves. In fact, as the saying goes, "if it's not broke, don't try to fix it." That is one of THE golden rules in SysAdmin.

The problem is, I don't think there's a way I can turn off the warning for just this particular high priority issue notification. I would have to turn off all emails and I don't mind getting ones Cpanel considers high priority. Time is precious and I don't have time to futz around with a test server just to test this one issue. Maybe I'll do it when I move to a new server with AlamaLinux O/S next year.

Kind of pissed they are sending recommendations to implement something largely considered experimental.