The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Symlink Protection Advisory

Discussion in 'Security' started by mickalo, May 11, 2014.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    After going through a series of posting regarding this advisory issue I think using the Mod Ruid/Jailshell configuration option would be our best option. We only host about 25 user accounts at this time. Our current setup now:

    CENTOS 6.5
    Cpanel/WHM Stable - WHM 11.42.1 (build 13)
    Apache 2.2.27 w/Mod Security
    PHP 5.4.28 w/suPHP

    Is there any other issues I should be aware of before we run EasyApache to implement this Mod Ruid and Jailshell tweak settings? Will this have any direct affect to our user accounts?

    I spent about 2 hrs this morning going through tons of messages posting on this issue and it's a bit confusing to figure out the pro & cons going this route. Any info our suggestions would be much appreciated.

    Thanks,
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    thank you for the info.

    Mike
     
  4. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    One other question comes up after reviewing the docs that Mod security log location is changed when Mod Ruid & Mod Security is complied. Will the mod security log still be accessible via the ConfigServer ModSecurity Control & WHM Mod Security add on interface??

    Mike
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I'm not sure that ConfigServer has implemented changes to support the change in the log location when Mod_Ruid2 is enabled, but you are welcome to consult with their support team if it does not function as expected:

    ConfigServer Technical Support

    The Mod_Security plugin in Web Host Manager should function as expected. Let us know if that's not the case.

    Thank you.
     
  6. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Ok thanks. I posted this on their Support forum to see if this has been addressed or plan too. Their Mod Security Add-On is a very handy tool to have if your using Mod Security.

    Update:
    This is the Info posted from ConfigServer Technical Support Forum for those who maybe interested also:
    Code:
    The rules for ModSecurity should still work. The processing of the ModSecurity logs will not.
    
    Mike
     
    #6 mickalo, May 15, 2014
    Last edited: May 15, 2014
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Good to know.

    Honestly on a production server that's already using SuPHP, I would rather just enable the "symlink race condition protection" in easyapache than make the switch to Mod_RUID2 with live sites.
     
  8. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    we where also looking at the option as a possibility. May I ask why you went that route instead of the Mod Ruid on a production server ? Right now we only host about 25-30 user accounts.

    thanks,
    Mike
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Mike,

    The reason I went that route is because there is slim to no chance of compatibility issues. You're basically just changing how symlinks are handled an that's it. The "patch" just makes sure any files being served belong to the correct owner. It provides good enough protection to stop cross-account symlink hacks. I've enabled the symlink race condition protection patch on countless production servers without downtime or issues.

    RUID2 on the other may cause problems with your sites or current apache configuration. It's not compatible with a lot of other modules or configurations. I'd definitely plan a decent maintenance window (at least a few hours) to allow yourself time to troubleshoot broken sites or configurations/modules if you try RUID2.

    Apache Module: Ruid2
     
  10. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Thanks for the additional info appreciate it. I was a bit leary using the Mod Ruid and wanted to get as much info as possible before I ran EasyApache. Don't really need any additional headaches, if I can avoid it, that's for sure. :)

    Mike
     
Loading...

Share This Page