Kernel does not support the prevention of symlink ownership attacks.

planetjoin

Well-Known Member
Oct 14, 2003
63
2
158
cPanel Access Level
Root Administrator
Hello people!

I need some help ;)

I have few servers online with CENTOS 6.8 x86_64 / [WHM 62.0 (build 15)

I´d compiled PHP as suphp with suexec with mod_ruid2
and i just updated the kernel to the last version : 2.6.32-642.15.1.el6.x86_64

When i run security advisor i get :

Apache Symlink Protection: mod_ruid2 loaded in Apachemod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. Review Symlink Race Condition Protection for further information.
I can´t enable Jail Apache because the system is running with suphp.
I must to change it to "cgi" ? is secure? i must to expect changes on php scripts?
(in the dropdown not appears fcgi, only suphp, dso and cgi)

I also get this message :

Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
Question :
if i enable mod_ruid2 and changing to cgi, I can enable Apache jail, and then, Symlink Protection is ok? or i need to do somethins with the kernel too?


For example, In one of my servers, i´ve already migrated from easyapache3 to easyapache4 and there.. is running modruid2 with apache jail properly.. but still appears the kernel message.

kernel.JPG

Any help would be appreciated ;)

Regards
Fabian
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363

planetjoin

Well-Known Member
Oct 14, 2003
63
2
158
cPanel Access Level
Root Administrator
Hello,

The use of the cPanel-hardened kernel would provide your system with protection against symlink attacks and thus you would not have to utilize Mod_Ruid2 and the "Jail Apache Users" feature. More information about the cPanel-hardened kernel is available at:

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

Thank you.
Thanks Michael!

Last questions :

1 - I always update kernel using : yum update -y (after i install the cpanel system´s kernel, the next time i need to update kernel, i need to do all as the above link explain again, or just with yum -y update kernel is ok ?)
2 - Use this cpanel kernel, can affect something in my servers?

Regards and thanks in advance
Fabian
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
2 - Use this cpanel kernel, can affect something in my servers?
It's a straightforward process to switch to the cPanel-hardened kernel. I've not seen any reports of issues with the conversion, but the potential for unexpected issues exists any time you reboot a system or change the kernel. Thus, we strongly suggest that only experienced System Administrators perform this process, as documented at:

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

1 - I always update kernel using : yum update -y (after i install the cpanel system´s kernel, the next time i need to update kernel, i need to do all as the above link explain again, or just with yum -y update kernel is ok ?)
No, you only need to take the steps referenced in the document above one time, and your system will then automatically detect when a new cPanel-hardened kernel is available. That said, do make note of the behavior referenced on the following thread:

Latest Kernel not Hardened?

Thank you.