Apache Symlink Protection is enabled

N

Nirjonadda

Well-Known Member
May 8, 2013
752
28
78
cPanel Access Level
Root Administrator
I am getting error via Security Advisor. Also enabled jailshell and EXPERIMENTAL: Jailshell Virtual Hosts using mod_ruid2 but this error still are showing. Please let me know, How to fixing on this issue?

Code: 
Apache Symlink Protection: the Bluehost provided Apache patch is in effect

    It appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal.
I am using EasyApache 4
 

Attachments

cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello,

Documentation on the available options for symlink protection is available at:

Symlink Race Condition Protection - EasyApache - cPanel Documentation

It notes the following downsides for the BlueHost patch:

  • Protection from this patch is not as good as a kernel-level or a filesystem-level solution.
  • This patch may slow the performance of high-traffic servers.
  • Incompatible with Mailman.
  • Incompatible with CGI Center apps.
Click to expand...
I recommend disabling that option in EasyApache since already have "EXPERIMENTAL: Jailshell Virtual Hosts" and Mod_Ruid2 enabled.

Thank you.
 
N

Nirjonadda

Well-Known Member
May 8, 2013
752
28
78
cPanel Access Level
Root Administrator
N

Nirjonadda

Well-Known Member
May 8, 2013
752
28
78
cPanel Access Level
Root Administrator
cPanelMichael said:
Hello,

Information about symlink race protection with EasyApache 4 is discussed at:

EasyApache4 symlink race protection
Thank you.
Click to expand...
Then in Apache Configuration, Global Configuration. Under Directory “/” Options, disable FollowSymLinks and enable SymLinksIfOwnerMatch for disabling Symlink Race Condition Protection? I have enabled jailshell and EXPERIMENTAL: Jailshell Virtual Hosts using mod_ruid2. If not include the symlink protection patch in EasyApache 4 then why cPanel Security Advisor show me that i am using Apache Symlink Protection: the Bluehost provided Apache patch is in effect?
 
Last edited:
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello,

Actually, the message you see in "WHM >> Security Advisor" is a false positive. You can safely ignore the message about the BlueHost patch, as internal case CPANEL-9914 is open to address an issue where Security Advisor falsely detects Bluehost Symlink Patch as "enabled" in EasyApache 4 and causes a false positive. I'll update this thread with more information on the status of this case as it becomes available.

Thank you.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello,

To update, this issue was addressed with the following changes in Security Advisor:

Pull Request #54 · CpanelInc/addon_securityadvisor · GitHub

CPANEL-9952 was included with cPanel version 60.0.26 to ensure Security Advisor is updated to include the most recent changes referenced on it's GitHub page:

Fixed case CPANEL-9952: Update Security Advisor to the latest version.

It's also scheduled for inclusion with cPanel version 58 during the next update to that build.

Thank you.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Skin Apache Symlink Protection False positive? Security 3
U Apache Symlink Protection Advisory Security 1
N Apache Symlink Protection Security 2
M Apache vhosts are not segmented or chroot()ed. | No symlink protection detected Security 3
postcd Sec. Advisor: Apache Symlink Protection: mod_ruid2 loaded in Apache Security 7
Similar threads
Apache Symlink Protection False positive?
Apache Symlink Protection Advisory
Apache Symlink Protection
Apache vhosts are not segmented or chroot()ed. | No symlink protection detected
Sec. Advisor: Apache Symlink Protection: mod_ruid2 loaded in Apache
Top Bottom