Thanks to EA4 (EasyApache 4), WHM cPanel now allows multiple php versions to be installed simultaneously. Here is a peculiar example of getting php 7.2 enabled on a cpanel server with LiteSpeed and grsec kernel enabled on server.
Assumption: Here we are assuming a scenario where we have WHM cPanel server installed on Centos 6 and configured with ASL (Atomic Secured Linux) available from Atomicorp.com.
When ASL is enabled, server will be booted into ASL kernel powered by grsecurity modules and rules.
The procedure to enable php 7.2 from WHM would be to login to WHM -> EasyApache 4 -> Customize – PHP versions -> Enable 7.2
Once PHP 7.2 is enabled on server, you will need to enable in Litespeed. To do so, login to Litespeed web interface by visiting your server url with port 7080
Once logged in login to Configuration -> Server -> External App -> Add
Then you will need to add Script Handler so click on Script Handler -> Add. Make sure to configure handler type as “LiteSpeed SAPI” and handler name as “[Server Level]: lsphp72”
Save and restart LiteSpeed web server. Now when you configure php 7.2 for a particular account from WHM -> MultiPHP Manager and access the website in browser, you will notice error “503 Service Unavailable, Please try again later”
On debugging you will notice logs in /usr/local/apache/logs/error_logs as follows:
connection to [/tmp/lshttpd/APVH_xxxxxxx_Suphp72.sock.825] on request #0, confirmed, 1, associated process: 14544, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.065 [NOTICE] [xxxxxxx:59282] No request delivery notification has been received from LSAPI process group [14544], possible run away process.
2018-01-26 09:45:21.066 [NOTICE] [xxxxxxxx:59282] Retry with new process group.
2018-01-26 09:45:21.066 [NOTICE] Graceful stop process group lead by pid: 14544
2018-01-26 09:45:21.067 [INFO] [APVH_xxxxxxx_Suphp72:] PID: 23289, add child process pid: 14593, procinfo: 0x4e5e970
2018-01-26 09:45:21.155 [INFO] [xxxxxxxx:59282] connection to [/tmp/lshttpd/APVH_xxxxxx_Suphp72.sock.413] on request #0, confirmed, 1, associated process: 14593, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Max retries has been reached, 503!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] oops! 503 Service Unavailable
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Content len: 0, Request line: ‘GET /~xxxxxxxx/ HTTP/1.1’
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Redirect: #1, URL: /index.php
2018-01-26 09:45:21.155 [INFO] [xxxxxxx:59282] abort request…, code: 4
2018-01-26 09:45:21.155 [INFO] [xxxxx:59282] File not found [/home/xxxxx/public_html/503.shtml]
Further tailing /var/log/messages, you will notice errors similar to:
Jan 26 11:05:19 xxxxxxx kernel: [1331781.378288] PAX: terminating task: /opt/cpanel/ea-php72/root/usr/bin/lsphp(lsphp):25821, uid/euid: 591/591, PC: 0000036c959c2010, SP: 000003d92b1a9c28
Jan 26 11:05:19 xxxxxxx kernel: [1331781.381445] PAX: bytes at PC: 53 41 57 41 56 41 55 55 48 8b df 48 83 ec 50 48 8b 43 10 48
Jan 26 11:05:19 xxxxxxx kernel: [1331781.383039] PAX: bytes at SP-8: 0000036c92aa5460 00000000004c3253 000003d92b1a9cc0 00000000040b3d70 0000000004187f20 0000036c92a01900 0000036c92a01900 0000036c92a01909 000003d92b1a9cc0 0000000000000004 0000000000000000
Jan 26 11:05:19 xxxxxxx kernel: [1331781.386756] grsec: From xxxxxxx: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx PAM-hulk[25770]: Brute force detection active: 580 LOGIN DENIED — EXCESSIVE FAILURES — IP TEMP BANNED
Jan 26 11:05:19 xxxxxxx kernel: [1331781.391657] grsec: From xxxxxxx: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.396551] grsec: From xxxxxxx: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.401450] grsec: From xxxxxxx: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.406601] grsec: From xxxxxxx: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
The error is likely due to the fact that the grsec kernel which is installed on server from ASL, is assuming php 7.2 as insecure and hence, restricting it. This means that PHP is trying to violate the kernels memory protection features. Unfortunately, PHP 7 needs to operate in this insecure manner. To allow PHP to operate this way, follow the steps below:
The solution here is to configure the system to allow php to run insecurely. This can be achieved by :
- Stopping Litespeed webserver on the server using command:
cd /usr/local/lsws/bin
./lswsctrl stop
- Then give the command:
paxctl -m /opt/cpanel/ea-php72/root/usr/bin/lsphp
- If you receive error similar to “file /opt/cpanel/ea-php72/root/usr/bin/lsphp does not have a PT_PAX_FLAGS program header, try conversion” then try following solution
paxctl -c /opt/cpanel/ea-php72/root/usr/bin/lsphp
- and finally restart Litespeed webserver using command:
./lswsctrl restart
Accessing your website now configured with php 7.2 version on a cPanel server with Litespeed and ASL (Automic Secure Linuc) or grsec kernel should now work sucessfully.