Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Kernel does not support the prevention of symlink ownership attacks.

Discussion in 'Security' started by planetjoin, Feb 25, 2017.

Tags:
  1. planetjoin

    planetjoin Active Member

    Joined:
    Oct 14, 2003
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Hello people!

    I need some help ;)

    I have few servers online with CENTOS 6.8 x86_64 / [WHM 62.0 (build 15)

    I´d compiled PHP as suphp with suexec with mod_ruid2
    and i just updated the kernel to the last version : 2.6.32-642.15.1.el6.x86_64

    When i run security advisor i get :

    I can´t enable Jail Apache because the system is running with suphp.
    I must to change it to "cgi" ? is secure? i must to expect changes on php scripts?
    (in the dropdown not appears fcgi, only suphp, dso and cgi)

    I also get this message :

    Question :
    if i enable mod_ruid2 and changing to cgi, I can enable Apache jail, and then, Symlink Protection is ok? or i need to do somethins with the kernel too?


    For example, In one of my servers, i´ve already migrated from easyapache3 to easyapache4 and there.. is running modruid2 with apache jail properly.. but still appears the kernel message.

    kernel.JPG

    Any help would be appreciated ;)

    Regards
    Fabian
     
    #1 planetjoin, Feb 25, 2017
    Last edited by a moderator: Feb 25, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. planetjoin

    planetjoin Active Member

    Joined:
    Oct 14, 2003
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    Thanks Michael!

    Last questions :

    1 - I always update kernel using : yum update -y (after i install the cpanel system´s kernel, the next time i need to update kernel, i need to do all as the above link explain again, or just with yum -y update kernel is ok ?)
    2 - Use this cpanel kernel, can affect something in my servers?

    Regards and thanks in advance
    Fabian
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It's a straightforward process to switch to the cPanel-hardened kernel. I've not seen any reports of issues with the conversion, but the potential for unexpected issues exists any time you reboot a system or change the kernel. Thus, we strongly suggest that only experienced System Administrators perform this process, as documented at:

    How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

    No, you only need to take the steps referenced in the document above one time, and your system will then automatically detect when a new cPanel-hardened kernel is available. That said, do make note of the behavior referenced on the following thread:

    Latest Kernel not Hardened?

    Thank you.
     
Loading...

Share This Page