The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Kernel symlink ownership attacks, while Jailshell & mod_ruid2 enabled

Discussion in 'Security' started by EneTar, Nov 6, 2016.

  1. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    After updating to WHM 60.15 and EasyApache 4 I noticed this on security advisor
    I'm running this system with PHP-FPM. I also have jailed apache enabled and mod_ruid2

    Please see the attaches screenshot.

    I have read this Symlink Race Condition Protection - EasyApache - cPanel Documentation but I'm not sure what else to do as i have already enabled mod_ruid + jailshell

    Is the above warning a false positive? Or should I do something else? Do I have to do something like this? How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation
     

    Attached Files:

  2. Tim Gall

    Tim Gall Registered

    Joined:
    Aug 28, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Just researching this ATM. I found a new option in the apache3 exhaustive options list called "Symlink Race Condition Protection". Im guessing thats the solution but I received a warning about performance when I selected it so personally Im still looking for more info on this.
     
  3. Tim Gall

    Tim Gall Registered

    Joined:
    Aug 28, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Disregard my previous comment. Im still in the dark with this one. I have run ruid2+jailshell for some time... the security advisor message only appeared after upgrading to v60build 15. If I understand this properly applying the symlink patch is considered a seperate last resort solution. Ruid2+jailshell is one of the prefferred solutions.
    This post might help anyone looking: New security advisor for symlink ownership attacks
     
  4. hackboys

    hackboys Active Member

    Joined:
    Feb 12, 2008
    Messages:
    31
    Likes Received:
    2
    Trophy Points:
    58
    Jan-Paul Kleijn and EneTar like this.
  5. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    So it seems that I have to replace the CentOS 6 kernel with that of cpanel. Are there any disadvantages on this one? I really would appreciate an official answer from Cpanel. Does the cpanel version kernel receives updates and is it safe regarding other security and performance issues.

    Noob question: What will happen if I disable FollowSymLinks and enable only SymLinksIfOwnerMatch? Is this an alternative?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,167
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The warning message in SecurityAdvisor is noting that you have no kernel-level symlink protection enabled on your system. You can find the existing options for kernel-level symlink protection at:

    Symlink Race Condition Protection - EasyApache - cPanel Documentation:

    In addition to the two solutions listed on that document, cPanel patched kernel is another solution that offers kernel-level symlink protection:

    How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

    A greater level of protection is offered when using a patched kernel as opposed to patching Apache only.

    Thank you.
     
  7. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi Michael and thank you for your answer but I have already read (and posted above) both of these articles and I still have concerns:

    1)Do we need the kernel patch if we have already have mod_ruid + jailshell enabled? What's the difference?
    2)Does the cPanel kernel replace the default one or is it just a patch to the default one?
    3)If it is a new kernel is it maintained and receives updates through the repo?

    Thank you for your time
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,167
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's not required, but kernel-level protection or CageFS from CloudLinux are solutions that offer greater level of security. Also, using Apache-level patches (e.g. the BlueHost patch) can slow the performance of the server. To note, our documentation team is working on a new document that specifies the various options available to you on EasyApache 4.

    It replaces the default kernel on your system, however note it's essentially the CentOS kernel patched to protect against symlink attacks.

    Yes, it's maintained and updated in a similar fashion to the stock kernel.

    Thank you.
     
    EneTar likes this.
Loading...

Share This Page