Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Advisor: Symlink Ownership Attack Message with ModRUID2 and Jailed Apache

Discussion in 'Security' started by linux4me2, Apr 20, 2017.

  1. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    168
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I am running CENTOS 6.8 x86_64 kvm – host cPanel & WHM 64.0 (build 15) with ModRUID2 and Jailed Apache enabled. When I run Security Advisor, I still get the warning:

    I have noticed that the ModRUID2 + jailed Apache option has been removed from the documentation for symlink ownership attack protection. Technically, it's true that our kernel doesn't support prevention of symlink ownership attacks, but aren't we still adequately protected with ModRUID2 and jailed Apache?

    We don't have the option of Cloudlinux or the cPanel-hardened kernel (neither are allowed on our host's VPS accounts) and the Bluehost patch doesn't provide sufficient protection, so ModRUID2 + jailed Apache has been our go-to solution.

    Security Advisor does still give us green checkmarks for:

    and

    although we don't have the Bluehost patch enabled in Apache's global configuration.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @linux4me2,

    Protection at the kernel level is recommended as the most effective approach to prevent symlink attacks , but you are correct that Mod_Ruid2 combined with the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option in "WHM >> Tweak Settings" does offer decent protection against symlink attacks. There's a post here where the overall topic of symlink protection is discussed in more detail:

    EasyApache4 symlink race protection

    Thank you.
     
    linux4me2 likes this.
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    168
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks Michael. I did read that article when I was researching our options, and for some time we were getting by with just setting all our configuration files to 600 permissions. When we were migrated to a KVM VPS from Virtuozzo, I was hopeful that we could use the cPanel-hardened kernel, but the new web host (Liquidweb) doesn't allow custom kernels on their VPS because they say custom kernels can adversely affect the host system. For now, mod_ruid2 and jailshell seem to be the way for us to go. I was really just hoping implementing them would get Security Advisor back to "all green." I miss our "all green" Security Advisor scan. : )
     
Loading...

Share This Page