The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Security Advisor Issue

Discussion in 'Security' started by Boris Horvat, Mar 1, 2017.

  1. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    OS: Centos 7
    Kernel: OVH kernel 3.14.32-xxxx-grs-ipv6-64

     
    #1 Boris Horvat, Mar 1, 2017
    Last edited by a moderator: Mar 1, 2017
  2. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
  3. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    not work...

    i followed guide.
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99

    added to /etc/sysctl.conf

    this is results of sysctl -p:
    sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory
    sysctl: cannot stat /proc/sys/fs/symlinkown_gid: No such file or directory
     
  4. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
    It was for cloulinux based as there are several options for symlink patch , please revert , since you installed gr security patch just enable the settings as mentioned in the advisor just do a

    sysctl -a | egrep 'symlinksifowner|symlinkown'
    Will identify the right values

    reboot is required .
     
  5. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    sorry but that didnt help... :( ... is it possible to remove/delete/disable this warning or to uninstall that patch?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Please post the output from the following commands:

    Code:
    cat /usr/local/cpanel/version
    sysctl -n kernel.grsecurity.symlinkown_gid
    sysctl -n kernel.grsecurity.enforce_symlinksifowner
    Thank you.
     
  7. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    [root@server ~]# cat /usr/local/cpanel/version
    11.62.0.16
    [root@server ~]# sysctl -n kernel.grsecurity.symlinkown_gid
    sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory
    [root@server ~]# sysctl -n kernel.grsecurity.enforce_symlinksifowner
    sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory
    [root@server ~]#
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    Support Request ID is: 8292381
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Per the ticket, it looks like you were advised to seek out the support from your provider regarding the configuration of your kernel. Could you update us on the outcome of how that went?

    Thank you.
     
  11. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    From: OVH Support

    Hello,

    Thank you for contacting OVH regarding your custom configuration.

    This issue is pretty well know by cpanel and you
    will able able to find solutions on internet or internet forums. I found some
    information that can help as an start in the cpanel website her e is the link
    for that:

    Apache Symlink Protection Advisor
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    That thread links to:

    CloudLinux Documentation

    Were you able to follow the steps in that document, as advised by your provider, to see if the issue persists?

    Thank you.
     
  13. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    yes...we follow all steps... whatever we done problem is still present...

    Your support said that the problem is with OVH custom kernel, and OVH support said that the problem is with CPanel.
     
    #13 Boris Horvat, Mar 16, 2017
    Last edited by a moderator: Mar 16, 2017
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you respond to your provider to let them know that enabling the settings on the provided document did not help? You can have them open a ticket directly with us if they are unable to troubleshoot the issue further.

    Thank you.
     
  15. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    Answer from OVH:

    It is my pleasure to assist you to have this issue clarify. In case that you
    are having problems with the custom kernel from OVH. Our support is completely
    dedicated to the infrastructure of the service, so we wont be able to provide
    advised on this.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's possible you have not added to the correct entries to the /etc/sysctl.conf file on the system. Could you let us know the contents of that file? EX:

    Code:
    cat /etc/sysctl.conf
    The specific entries you need to add are documented at:

    Grsecurity/Appendix/Grsecurity and PaX Configuration Options - Wikibooks, open books for an open world

    EX:

    Code:
    kernel.grsecurity.enforce_symlinksifowner = 1
    kernel.grsecurity.symlinkown_gid = 99
    You'd then run the following command:

    Code:
    sysctl -p
    Thank you.
     
  17. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    [root@server ~]# cat /etc/sysctl.conf
    # sysctl settings are defined through files in
    # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
    #
    # Vendors settings live in /usr/lib/sysctl.d/.
    # To override a whole file, create a new file with the same in
    # /etc/sysctl.d/ and put new settings there. To override
    # only specific settings, add a file with a lexically later
    # name in /etc/sysctl.d/ and put new settings there.
    #
    # For more information, see sysctl.conf(5) and sysctl.d(5).

    # Disable IPv6 autoconf
    net.ipv6.conf.all.autoconf = 0
    net.ipv6.conf.default.autoconf = 0
    net.ipv6.conf.eth0.autoconf = 0
    net.ipv6.conf.all.accept_ra = 0
    net.ipv6.conf.default.accept_ra = 0
    net.ipv6.conf.eth0.accept_ra = 0

    kernel.enforce_symlinksifowner = 1
    kernel.symlinkown_gid = 99[root@server ~]#
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Try replacing these values with:

    Code:
    kernel.grsecurity.enforce_symlinksifowner = 1
    kernel.grsecurity.symlinkown_gid = 99
    Then run the following command:

    Code:
    sysctl -p
    Thank you.
     
  19. Boris Horvat

    Boris Horvat Member

    Joined:
    Jul 29, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Split, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    [root@server ~]# sysctl -p
    net.ipv6.conf.all.autoconf = 0
    net.ipv6.conf.default.autoconf = 0
    net.ipv6.conf.eth0.autoconf = 0
    net.ipv6.conf.all.accept_ra = 0
    net.ipv6.conf.default.accept_ra = 0
    net.ipv6.conf.eth0.accept_ra = 0
    sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory
    sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory
    [root@server ~]#
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,280
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is a limitation of the kernel offered by your provider. You may want to contact them to see if it's possible to boot into a stock kernel, or request assistance from additional members of their support team if they are unable to provide you with a reliable answer.

    Thank you.
     
Loading...

Share This Page