Kernel symlink ownership attacks, while Jailshell & mod_ruid2 enabled

EneTar

Well-Known Member
Dec 19, 2015
157
12
68
Greece
cPanel Access Level
Root Administrator
After updating to WHM 60.15 and EasyApache 4 I noticed this on security advisor
Kernel does not support the prevention of symlink ownership attacks.
I'm running this system with PHP-FPM. I also have jailed apache enabled and mod_ruid2

/etc/redhat-release:CentOS release 6.8 (Final)
/usr/local/cpanel/version:11.60.0.15
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.23 (cPanel)
Server built: Oct 13 2016 19:47:28
ea-php-cli Copyright 2016 cPanel, Inc.
PHP 7.0.12 (cli) (built: Oct 18 2016 20:12:13) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.12, Copyright (c) 1999-2016, by Zend Technologies
mysql Ver 15.1 Distrib 10.1.18-MariaDB, for Linux (x86_64) using readline 5.1
Please see the attaches screenshot.

I have read this Symlink Race Condition Protection - EasyApache - cPanel Documentation but I'm not sure what else to do as i have already enabled mod_ruid + jailshell

Is the above warning a false positive? Or should I do something else? Do I have to do something like this? How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation
 

Attachments

Tim Gall

Registered
Aug 28, 2016
2
0
1
Brisbane, Australia
cPanel Access Level
Root Administrator
Just researching this ATM. I found a new option in the apache3 exhaustive options list called "Symlink Race Condition Protection". Im guessing thats the solution but I received a warning about performance when I selected it so personally Im still looking for more info on this.
 

Tim Gall

Registered
Aug 28, 2016
2
0
1
Brisbane, Australia
cPanel Access Level
Root Administrator
Disregard my previous comment. Im still in the dark with this one. I have run ruid2+jailshell for some time... the security advisor message only appeared after upgrading to v60build 15. If I understand this properly applying the symlink patch is considered a seperate last resort solution. Ruid2+jailshell is one of the prefferred solutions.
This post might help anyone looking: New security advisor for symlink ownership attacks
 

EneTar

Well-Known Member
Dec 19, 2015
157
12
68
Greece
cPanel Access Level
Root Administrator
So it seems that I have to replace the CentOS 6 kernel with that of cpanel. Are there any disadvantages on this one? I really would appreciate an official answer from Cpanel. Does the cpanel version kernel receives updates and is it safe regarding other security and performance issues.

Noob question: What will happen if I disable FollowSymLinks and enable only SymLinksIfOwnerMatch? Is this an alternative?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello,

The warning message in SecurityAdvisor is noting that you have no kernel-level symlink protection enabled on your system. You can find the existing options for kernel-level symlink protection at:

Symlink Race Condition Protection - EasyApache - cPanel Documentation:

In addition to the two solutions listed on that document, cPanel patched kernel is another solution that offers kernel-level symlink protection:

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

A greater level of protection is offered when using a patched kernel as opposed to patching Apache only.

Thank you.
 

EneTar

Well-Known Member
Dec 19, 2015
157
12
68
Greece
cPanel Access Level
Root Administrator
Hi Michael and thank you for your answer but I have already read (and posted above) both of these articles and I still have concerns:

1)Do we need the kernel patch if we have already have mod_ruid + jailshell enabled? What's the difference?
2)Does the cPanel kernel replace the default one or is it just a patch to the default one?
3)If it is a new kernel is it maintained and receives updates through the repo?

Thank you for your time
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello,

1)Do we need the kernel patch if we have already have mod_ruid + jailshell enabled? What's the difference?
It's not required, but kernel-level protection or CageFS from CloudLinux are solutions that offer greater level of security. Also, using Apache-level patches (e.g. the BlueHost patch) can slow the performance of the server. To note, our documentation team is working on a new document that specifies the various options available to you on EasyApache 4.

2)Does the cPanel kernel replace the default one or is it just a patch to the default one?
It replaces the default kernel on your system, however note it's essentially the CentOS kernel patched to protect against symlink attacks.

3)If it is a new kernel is it maintained and receives updates through the repo?
Yes, it's maintained and updated in a similar fashion to the stock kernel.

Thank you.
 
  • Like
Reactions: EneTar