Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Kernel symlink protection warning in security advisor

Discussion in 'Security' started by dvk01uk, Oct 18, 2017.

  1. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    This warning has suddenly started to appear in Security advisor since update to 66.0.26

    Kernel symlink protection is not enabled for CentOS 6.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.

    There is no link to anywhere.
    There used to be
    I do have the recommended kernelcare patch applied The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here

    it was working properly with no warnings before 66.0.26, what has changed in this update
     
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi @dvk01uk,

    Reviewing the changelogs and the code, I am not seeing any changes that would cause this. I believe it may be that KernelCare hasn't pushed a patch yet. Please see if KernelCare reports unknown:
    Code:
    # kcarectl -i
    If so, you'll need to update KernelCare or wait for them to push a patch for the latest version:
    Code:
    # kcarectl --auto-update
    Thanks,
     
  3. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Looks like I have to re-apply this setting after every Cpanel update. The added lines stay in sysctl.conf but I have to run the 2 sysctl instructions after each Cpanel update

    What does Cpanel do to that, to remove protections

    To enable Symlink Owner Match Protection, add the following lines:

    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 48
    Into /etc/sysconfig/kcare/sysctl.conf.

    And run:

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
    Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
     
  4. david364

    david364 Member

    Joined:
    Sep 15, 2013
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    The two Symlink options must not both be enabled at the same time due to a race condition that can allow root references, but simply disabling WHM > Service Configuration > Apache Configuration > Global Configuration > Directory “/” Options > FollowSymLinks and enabling SymLinksIfOwnerMatch fixes security, if no .htaccess files override these settings. The Security Advisor apparently has several bugs in it that have not been fixed in WHM 66.0.26, so you must ignore its continuing complaints. For me, it shows two incorrect errors and one incorrect warning.
     
  5. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,675
    Likes Received:
    73
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Do you have CloudLinux installed? If yes, then you might need. You have to analyse what user is being used by the web browser and use the corresponding UID of that use only in it to have a proper usage. As well, you have to make sure that if you are on a new cPanel updates, then you also have to enable the symlink protection from within the Apache configuration in the WHM...
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,009
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    The protection shouldn't be removed with updates. Do you have "fs.symlinkown_gid = 48" in your /etc/sysctl.conf? If so that needs to be 99 on cpanel systems. Once that option, and fs.enforce_symlinksifowner are set, you can just run "sysctl -p" to enforce them.

    Do not rely on the patch in EA anymore. There are known bypasses in the wild. Use the cloudlinux or equivalent free kernelcare option if at all possible (or ITK/RUID if that works in your environment).
     
Loading...

Share This Page