Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

No symlink protection detected

Discussion in 'Security' started by matt1206, May 31, 2018.

  1. matt1206

    matt1206 Active Member

    Joined:
    Dec 20, 2011
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hi,

    Had a security alert from the server this evening stating "No symlink protection detected"

    I'm running Kernelcare, and have been since the server was provisioned in November last year. It's running the 'extra' patch set to protect against this, so just curious as to why cPanel isn't detecting this?

    Code:
    kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.2.3.el7
    time: 2018-05-28 18:44:24
    
    
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url:
    
    kpatch-name: 3.10.0/paravirt-asm-definition.patch
    kpatch-description:
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url:
    kpatch-patch-url:
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.patch
    kpatch-description: symlink protection
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
    kpatch-description: symlink protection (kpatch adaptation)
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    uname: 3.10.0-862.3.2.el7
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,701
    Likes Received:
    72
    Trophy Points:
    203
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    have you added

    Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99

    Execute:

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael and matt1206 like this.
  3. matt1206

    matt1206 Active Member

    Joined:
    Dec 20, 2011
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I haven't, as I was under the impression this was only needed on the free patch they provide. I have paid kernelcare on all my servers.

    Edit: seems I was incorrect......will add those values now.
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,701
    Likes Received:
    72
    Trophy Points:
    203
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    kernelcare dose not know how your Apache was installed or if its installed at all as kernelcare is not limited to cPanel servers.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    995
    Likes Received:
    41
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm no expert, so I could be talking rubbish.

    When I updated to V70 recently, I saw a message about the patched kernel being no longer relevent
    I don't recall the exact specifics, but I do recall that I ran 'Security Advisor' and just followed the links, to remove the patched kernel and install a new one.
    It was pretty seemless.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,378
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Matt,

    Can you confirm the warning no longer appears in WHM >> Security Advisor after applying those values? Note that CloudLinux documents those values at:

    CloudLinux Documentation

    Hi @keat63,

    The message you are referring to relates to the cPanel-hardened kernel that we offered in the past. We now recommend using KernelCare (they offer a free patch) in lieu of the cPanel-hardened kernel. You can read more about this at:

    70 Release Notes - Version 70 Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice