Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
OS: Centos 7
Kernel: OVH kernel 3.14.32-xxxx-grs-ipv6-64

cPanel Security Advisor
Apache Symlink Protection: Grsecurity sysctl valuesIt seems that your sysctl keys, enforce_symlinksifowner, and symlinkown_gid, may not be configured correctly for a cPanel server. Typically, enforce_symlinksifowner is set to 1, and symlinkown_gid is set to 99 on a cPanel server. For further information, see the Grsecurity Documentation.
 
Last edited by a moderator:

Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
not work...

i followed guide.
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

added to /etc/sysctl.conf

this is results of sysctl -p:
sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory
sysctl: cannot stat /proc/sys/fs/symlinkown_gid: No such file or directory
 

sktest123

Well-Known Member
Jan 31, 2017
99
6
8
kochin
cPanel Access Level
Root Administrator
It was for cloulinux based as there are several options for symlink patch , please revert , since you installed gr security patch just enable the settings as mentioned in the advisor just do a

sysctl -a | egrep 'symlinksifowner|symlinkown'
Will identify the right values

reboot is required .
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Please post the output from the following commands:

Code:
cat /usr/local/cpanel/version
sysctl -n kernel.grsecurity.symlinkown_gid
sysctl -n kernel.grsecurity.enforce_symlinksifowner
Thank you.
 

Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
[[email protected] ~]# cat /usr/local/cpanel/version
11.62.0.16
[[email protected] ~]# sysctl -n kernel.grsecurity.symlinkown_gid
sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory
[[email protected] ~]# sysctl -n kernel.grsecurity.enforce_symlinksifowner
sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory
[[email protected] ~]#
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Per the ticket, it looks like you were advised to seek out the support from your provider regarding the configuration of your kernel. Could you update us on the outcome of how that went?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

That thread links to:

CloudLinux Documentation

Were you able to follow the steps in that document, as advised by your provider, to see if the issue persists?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Could you respond to your provider to let them know that enabling the settings on the provided document did not help? You can have them open a ticket directly with us if they are unable to troubleshoot the issue further.

Thank you.
 

Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
Answer from OVH:

It is my pleasure to assist you to have this issue clarify. In case that you
are having problems with the custom kernel from OVH. Our support is completely
dedicated to the infrastructure of the service, so we wont be able to provide
advised on this.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

It's possible you have not added to the correct entries to the /etc/sysctl.conf file on the system. Could you let us know the contents of that file? EX:

Code:
cat /etc/sysctl.conf
The specific entries you need to add are documented at:

Grsecurity/Appendix/Grsecurity and PaX Configuration Options - Wikibooks, open books for an open world

EX:

Code:
kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 99
You'd then run the following command:

Code:
sysctl -p
Thank you.
 

Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
[[email protected] ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Disable IPv6 autoconf
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.eth0.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.eth0.accept_ra = 0

kernel.enforce_symlinksifowner = 1
kernel.symlinkown_gid = 99[[email protected] ~]#
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
kernel.enforce_symlinksifowner = 1
kernel.symlinkown_gid = 99
Try replacing these values with:

Code:
kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 99
Then run the following command:

Code:
sysctl -p
Thank you.
 

Boris Horvat

Active Member
Jul 29, 2014
26
1
51
Split, Croatia, Croatia
cPanel Access Level
Root Administrator
[[email protected] ~]# sysctl -p
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.eth0.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.eth0.accept_ra = 0
sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory
sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory
[[email protected] ~]#
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

This is a limitation of the kernel offered by your provider. You may want to contact them to see if it's possible to boot into a stock kernel, or request assistance from additional members of their support team if they are unable to provide you with a reliable answer.

Thank you.