Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 06-04-2019 13:05:59

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 790

mod_suexec vs mod_ruid2

I have got tired of seeing this security advisor message in WHM

"Apache vhosts are not segmented or chroot()ed.
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache."

It is not possible to "Enable “Jail Apache” in the “Tweak Settings” area" as checkbox is greyed out. It appears that we need to instal mod_ruid2 and in the process mod_suexec will be removed. It also appears to mean changing file permissions for the php to run.

Do you think it is worth doing or just too much trouble?


Simon

Offline

 

#2 06-04-2019 13:55:56

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19241
Website

Re: mod_suexec vs mod_ruid2

We run mod_suexec here and have no issues or reports of issues concerning security or passing PCI scans.  mod_ruid2 is basically a drop-in replacement for mod_suexec that may run faster or more securely (likely marginally).  It might be worth doing on a dev machine to test things out and see if you like it, but I see no real world advantage at this time to switch away from mod_suexec.  I'd question why there is a security advisor message you posted.  Are you still running mod_php and not making use of mod_suexec?  You can tell straight away by looking at any files created by PHP scripts - they will likely be owned by nobody or apache instead of the actual vhost account.


Nick Hendler

Offline

 

#3 06-05-2019 02:10:30

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 790

Re: mod_suexec vs mod_ruid2

OK thanks. If you mean mod_suphp, that is not installed. The sitemap.xml file in utilities folder is owned by the account. I will ask our hosting company to advise on this.

While looking at EasyApache4 I saw a couple of uninstalled PHP extensions:

php71-php-gettext (https://www.gnu.org/software/gettext/ma … t.html#Why)
php71-php-intl (https://www.php.net/manual/en/intro.intl.php)

Would either of those help to fix the UTF-8 encoding issue we tried to resolve last year?

The PHP extensions installed are

php71-libc-client
php71-pear
php71-php-bcmath
php71-php-calendar
php71-php-cli
php71-php-common
php71-php-curl
php71-php-devel
php71-php-fpm
php71-php-ftp
php71-php-gd
php71-php-imap
php71-php-litespeed
php71-php-mcrypt
php71-php-mysqlnd
php71-php-pdo
php71-php-posix
php71-php-sockets
php71-php-xml
php71-runtime

Would any others be beneficial?


Simon

Offline

 

#4 06-05-2019 06:43:18

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19241
Website

Re: mod_suexec vs mod_ruid2

If the sitemap.xml file is being written out with ownership equal to the vhost account, you're good to go and I wouldn't make any changes.  Concerning the UTF-8 encoding issues encountered last year, if you have 9.0.3 installed and have this in your .htaccess file:

AddDefaultCharset Off

Then you shouldn't see any encoding issues.  We went through that in depth last year when dealing with the encoding issues that cropped up due to changes in PHP default encoding.


Nick Hendler

Offline

 

Board footer