hidepid protection issue on cPanel servers
Incident Report for CloudLinux
Resolved
cPanel Build 116.0.7 has been published.
This build only has one single change to fix hidepid issue.
We recommend getting this update.
Posted Dec 08, 2023 - 17:08 UTC
Update
**Update**

cPanel team is working on the fix and reverting to the correct hidepid setup:
They will push out a new cPanel build with a fix asap and stop updates to v116 until this new build is generated and rolled out. For those servers that have made it to v116 already, will run an emergency patch to enable hidepid where applicable (CL servers).

Those users who want to leave hidepid protection enabled (recommended! as they had before cPanel update to v.116) and fix the error message can use the following workaround:

# rm -f /etc/sysctl.d/99-cpanel-proc-can-see-other-uid.conf
# /usr/sbin/sysctl fs.proc_can_see_other_uid=0
# /usr/share/cloudlinux/remount_proc.py

We'll notify here as soon as a new cPanel build is released.
Posted Dec 07, 2023 - 14:02 UTC
Monitoring
We released lve-utils-6.5.8-2 containing a fix.

You can install it with
# yum install lve-utils-6.5.8 --enablerepo=cloudlinux-rollout-3-bypass

Customers having lve-utils-6.5.9-1 (it’s currently in beta) should downgrade to lve-utils-6.5.8-2 while lve-utils-6.5.10-1 is not released (It will be available in few days)

Quick recap:
lve-utils-6.5.8-1 and older ---> upgrade to lve-utils-6.5.8-2
lve-utils-6.5.9-1 ---> downgrade to lve-utils-6.5.8-2
Posted Dec 06, 2023 - 15:48 UTC
Identified
The issue has been identified and a fix is being implemented.
Posted Dec 06, 2023 - 12:54 UTC
Investigating
**Issue**
On the CloudLinux + cPanel (v.116) server, you may get an email/notification (from cldiag check) that states CloudLinux configuration issues - hidepid protection issue:
See report below.
Check mount with hidepid=2 option:
FAILED: Details: hidepid protection disabled.
Please, mount system with hidepid=2 for better security.
Read more about hidepid option here: https://docs.cloudlinux.com/cloudlinux_os_kernel/#remounting-procfs-with-hidepid-option

**Cause**
The error message is related to cPanel version 116 and above. Starting from cPanel v.116, the 'fs.proc_can_see_other_uid' kernel parameter is persistently enabled. According to the cPanel official website:
https://support.cpanel.net/hc/en-us/articles/360057233394-Cloudlinux-utility-cldiag-reports-error-FAILED-Details-hidepid-protection-disabled-
cPanel is incompatible with the CloudLinux hidepid feature. Beginning with cPanel version 116, this option has been explicitly disabled to prevent any potential issues with cPanel functions.

**Solution**
It's important to note that this is not something that users need to resolve on their own, as it is a configuration set by cPanel.
While we are in discussions with cPanel about this configuration, we want to assure our clients that their systems are secure.
CL Devs are currently working on a fix to mute the cldiag check and notification related to this issue. In the meantime, you can disable the cldiag cron checker by running the following command:

cldiag --disable-cron-checkers check-hidepid

This will prevent the hidepid error message from appearing.
Posted Dec 06, 2023 - 12:54 UTC
Current Status Powered by Atlassian Statuspage