CloudLinux
DirectAdmin can run on CloudLinux systems. However, the support for CloudLinux is not on par with officially supported Linux distributions.
We do accept reports for CloudLinux integration problems and fix them, but CloudLinux is not part of our automated test suite. This means support for CloudLinux is not proactively maintained.
Protection against symbolic link attacks
CloudLinux has some powerful tools to help reduce symlink attacks.
For the most part, we don't really need them, as DA uses the "secure_access_group" method on /home/user
folders, and Apache itself is patched with the "harden symlinks" patch (internally swaps FollowSymlinks for SymLinksIfOwnerMatch).
Sometimes issues can arise from this extra layer of security (see some common errors, below).
If you need to disable the checks (temporarily or permanently):
- Edit
/etc/sysctl.conf
and set:
fs.enforce_symlinksifowner = 0
fs.protected_symlinks_create = 0
- Then set them to the system, without needing a reboot:
sysctl -p
- Confirm they're set:
sysctl -a | grep -E 'fs.enforce_symlinksifowner|fs.protected_symlinks_create'
Known Errors
Unable to extract the directory 'backup' from the file /home/admin/admin_backups/user.admin.username.tar.gz as user username
File '/home/admin/admin_backups/user.admin.username.tar.gz' was 1234567 bytes in size, as read by root.
In this case, it was found there were symbolic links in the backup, which could not be extracted because they were pointing to root-owned files. Note, this error could be cause by other things such as file corruption, but this is one possibility to be aware of.
Many lsphp processes, high CPU load, high memory usage
Issue
With this issue, a huge amount CPU load, high memory usage and many lsphp processes were observed.
The 'top' output showed 0.0% idle for CPU, and almost all memory and swap was used up. Load average was hovering around ~50
Solution
- Edit
/etc/httpd/conf/extra/mod_lsapi.conf
and increase the lsapi_backend_children value to 200:
lsapi_backend_children=200
- With mod_security, in the comodo DA plugin,:
Web Application Firewall | Free ModSecurity Rules from Comodo
go to the tab "Security Engine" and set:
Request Body Access: Off
- Restart httpd:
service httpd restart