Knowledgebase
Knowledgebase
Apache vhosts are not segmented or chroot()ed
Posted by Will Kruss on 08 December 2022 12:53 PM

With the modern cPanel security advisory you may get the alert:

Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

This does require you to review and take action with regards to your cPanel setup. If you are not familiar with EasyApache please contact our support and we are happy to make the changes to ensure your system meets this security advisory while providing the best performance for a cPanel environment.

Our recommendations are:

In EasyApache:

Install MPM Worker instead of prefork (ITK and RUID2 are removed if installed)

Install LSAPI Apache Module

Install SUExec Apache Module (this does a similar thing as RUID2 and sets both PHP and CGI executed files to run as the appropriate user segmenting each user from each other)

In WHM

MultiPHP Manager -> Change default PHP handler from CGI/DSO to LSAPI (all of them)

PHP-FPM is unaffected and can be enabled for specific sites as required

Manage Shell Access -> Make sure all accounts are under Jail Shell (not default shell)

Note: Cannot enable tweak settings -> jail apache (listed as experimental) as this requires MOD_RUID2.

MOD_RUID2 and ITK are not supported with MPM Worker. So this cannot be enabled we recommend SUExec instead.

We also recommend that you ensure that Shell Access is either disabled or set to Jailed Shell in WHM -> Manage Shell Access for all users.

VPSBlocks always attempts to find and recommend the best balance between server performance and security.

(1 vote(s))
Helpful
Not helpful