Issue
We are getting this message on all of our CloudLinux + cPanel Servers:
We have detected several CloudLinux configuration issues on your system.
- You may ignore some or all issues if you know that they don't cause you any troubles or they are expected or already scheduled to be fixed
- You may contact CloudLinux support to help to resolve issues that are hard to resolve yourself
- You may disable this cron checks permanently See docs for steps
See report below.
Check mount with hidepid=2 option:
FAILED: Details: hidepid protection disabled.
Please, mount system with hidepid=2 for better security.
Read more about hidepid option here: https://docs.cloudlinux.com/cloudlinux_os_kernel/#remounting-procfs-with-hidepid-option
Environment
- CloudLinux
- cPanel v.116
Solution
The main fix should be done from the cPanel side. At the moment (Dec 03, 2023), the cPanel team is working on the fix and reverting to the correct hidepid setup:
They will push out a new cPanel build with a fix asap and stop updates to v116 until this new build is generated and rolled out. For those servers that have made it to v116 already, will run an emergency patch to enable hidepid where applicable (CL servers).
While we are in discussions with cPanel about this configuration, we want to assure our clients that their systems are secure. We are currently working on a fix to mute the cldiag check and notification related to this issue. In the meantime, you can disable the cldiag cron checker by running the following command:
cldiag --disable-cron-checkers check-hidepid
This will prevent the error message from appearing.
----------------------------------------------------------------
Update
A) To hide the error message about hidepid protection issue (and leave this protection disabled), we released lve-utils-6.5.8-2:
yum install lve-utils-6.5.8 --enablerepo=cloudlinux-rollout-3-bypass
Customers having lve-utils-6.5.9-1 (it’s currently in beta) should downgrade to lve-utils-6.5.8-2 while lve-utils-6.5.10-1 is not released (It will be available in few days).
Quick recap:
lve-utils-6.5.8-1 and older ---> upgrade to lve-utils-6.5.8-2
lve-utils-6.5.9-1 ---> downgrade to lve-utils-6.5.8-2
B) Those users who want to keep hidepid protection enabled (as they had before cPanel update to v.116) and fix the error message can use the following another workaround:
# rm -f /etc/sysctl.d/99-cpanel-proc-can-see-other-uid.conf
# /usr/sbin/sysctl fs.proc_can_see_other_uid=0
# /usr/share/cloudlinux/remount_proc.py
------------------------------------------
Permanent Solution:
cPanel Build 116.0.7 has been published. This build only has one single change to fix hidepid issue.
We recommend getting this update (upcp).
Cause
Starting from cPanel v.116, the fs.proc_can_see_other_uid
kernel parameter is being enabled persistently. I.e. cPanel v.116 persistently sets the kernel parameter fs.proc_can_see_other_uid=1
, which forces disabling the hidepid protection on CL server.
According to the cPanel official website:
cPanel is incompatible with the CloudLinux hidepid
feature. Beginning with cPanel version 116, this option has been explicitly disabled to prevent any potential issues with cPanel functions.
Useful links
https://cloudlinux.zendesk.com/hc/en-us/articles/4408727664530-hidepid-protection-disabled
https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#hybrid-kernels
Comments
0 comments
Please sign in to leave a comment.