kernelcare symlink patch - centos 7 - cpanel 68.0.12

weblinks

Member
Sep 19, 2016
21
2
3
Pakistan
cPanel Access Level
Root Administrator
In CENTOS 7.4 kvm v68.0.12

uname -r
3.10.0-693.5.2.el7.x86_64

kcarectl --info

kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017
kpatch-build-time: Tue Oct 24 22:49:09 2017
kpatch-description: 2-free;3.10.0-693.5.2.el7

But in security advisor its showing

No symlink protection detected

You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

may i ignore that warning, pls help
 

weblinks

Member
Sep 19, 2016
21
2
3
Pakistan
cPanel Access Level
Root Administrator
Yes, I applied as mentioned in details.

Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Ok, Good :)

In that case you may need to wait for cpanel staff or open a ticket. With that said, If you don't get errors committing those sysctl parameters your server is probably OK.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Internal case CPANEL-16877 is open to address an issue where Security Advisor reports "No symlink protection detected" despite the server using the KernelCare "Extra" Patchset. In the meantime, you can safely ignore that warning if you've followed the instructions on setting it up (see here). I'll update this thread with more information on the status of this case as it becomes available.

Thank you.
 
  • Like
Reactions: quizknows

weblinks

Member
Sep 19, 2016
21
2
3
Pakistan
cPanel Access Level
Root Administrator
Hello,

Internal case CPANEL-16877 is open to address an issue where Security Advisor reports "No symlink protection detected" despite the server using the KernelCare "Extra" Patchset. In the meantime, you can safely ignore that warning if you've followed the instructions on setting it up (see here). I'll update this thread with more information on the status of this case as it becomes available.

Thank you.
Thanks, cPanelMichael and Yes I followed the instructions mention into blog link.
I will wait for update from you when available.
 

dvk01uk

Member
Oct 20, 2007
13
0
51
After some Cpanel updates and after any server reboot I have to reapply this every time to get rid of the Security advisor warning

Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hi @weblinks and @dvk01uk,

There's no workaround to have Security Advisor output the correct result. It's a false positive, which is what internal case CPANEL-16877 will solve. I'll update this thread with more information on the status of this case as soon as it's available.

Thanks!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If the settings are in your systcl config files themselves, "sysctl -p $file" should commit them. if that is failing or is not persistent across reboots, try moving the settings to /etc/sysctl.conf itself and running just "sysctl -p" to commit them.

You can also run "sysctl --system" to have it apply your settings which will then be echoed to your terminal. This is a good way to make sure your changes are in files that are actually being parsed by the system.

Code:
[[email protected] ~]# sysctl --system
* Applying /etc/sysctl.conf ...
(snip)
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

To update, the resolution is planned for cPanel version 70 as part of internal case CPANEL-17016.

Thank you.
 

durangod

Well-Known Member
May 12, 2012
504
46
78
cPanel Access Level
Website Owner
how do i even get this patch?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
So in v70 will be install symlink protection automatically?
No, it's not installed automatically. The change in cPanel 70 allows for Security Advisor to detect the KernelCare free tier patch, as it does not do so in cPanel 68 and earlier.

Thank you.