Kernel symlink protection warning in security advisor

dvk01uk

Member
Oct 20, 2007
13
0
51
This warning has suddenly started to appear in Security advisor since update to 66.0.26

Kernel symlink protection is not enabled for CentOS 6.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.

There is no link to anywhere.
There used to be
I do have the recommended kernelcare patch applied The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here

it was working properly with no warnings before 66.0.26, what has changed in this update
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
Hi @dvk01uk,

Reviewing the changelogs and the code, I am not seeing any changes that would cause this. I believe it may be that KernelCare hasn't pushed a patch yet. Please see if KernelCare reports unknown:
Code:
# kcarectl -i
If so, you'll need to update KernelCare or wait for them to push a patch for the latest version:
Code:
# kcarectl --auto-update
Thanks,
 

dvk01uk

Member
Oct 20, 2007
13
0
51
Looks like I have to re-apply this setting after every Cpanel update. The added lines stay in sysctl.conf but I have to run the 2 sysctl instructions after each Cpanel update

What does Cpanel do to that, to remove protections

To enable Symlink Owner Match Protection, add the following lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
Into /etc/sysconfig/kcare/sysctl.conf.

And run:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
 

david364

Active Member
Sep 15, 2013
43
5
58
cPanel Access Level
Reseller Owner
The two Symlink options must not both be enabled at the same time due to a race condition that can allow root references, but simply disabling WHM > Service Configuration > Apache Configuration > Global Configuration > Directory “/” Options > FollowSymLinks and enabling SymLinksIfOwnerMatch fixes security, if no .htaccess files override these settings. The Security Advisor apparently has several bugs in it that have not been fixed in WHM 66.0.26, so you must ignore its continuing complaints. For me, it shows two incorrect errors and one incorrect warning.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
What does Cpanel do to that, to remove protections
To enable Symlink Owner Match Protection, add the following lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
Into /etc/sysconfig/kcare/sysctl.conf.

And run:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
Do you have CloudLinux installed? If yes, then you might need. You have to analyse what user is being used by the web browser and use the corresponding UID of that use only in it to have a proper usage. As well, you have to make sure that if you are on a new cPanel updates, then you also have to enable the symlink protection from within the Apache configuration in the WHM...
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The protection shouldn't be removed with updates. Do you have "fs.symlinkown_gid = 48" in your /etc/sysctl.conf? If so that needs to be 99 on cpanel systems. Once that option, and fs.enforce_symlinksifowner are set, you can just run "sysctl -p" to enforce them.

Do not rely on the patch in EA anymore. There are known bypasses in the wild. Use the cloudlinux or equivalent free kernelcare option if at all possible (or ITK/RUID if that works in your environment).