Apache vhosts are not segmented or chroot()ed
Posted by Will Kruss on 08 December 2022 12:53 PM
|
|
With the modern cPanel security advisory you may get the alert: Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache. This does require you to review and take action with regards to your cPanel setup. If you are not familiar with EasyApache please contact our support and we are happy to make the changes to ensure your system meets this security advisory while providing the best performance for a cPanel environment. Our recommendations are: In EasyApache:
In WHM
Note: Cannot enable tweak settings -> jail apache (listed as experimental) as this requires MOD_RUID2. MOD_RUID2 and ITK are not supported with MPM Worker. So this cannot be enabled we recommend SUExec instead. We also recommend that you ensure that Shell Access is either disabled or set to Jailed Shell in WHM -> Manage Shell Access for all users. VPSBlocks always attempts to find and recommend the best balance between server performance and security. | |
|