Security Advisor: Symlink Ownership Attack Message with ModRUID2 and Jailed Apache

[linux4me2]

I am running CENTOS 6.8 x86_64 kvm – host cPanel & WHM 64.0 (build 15) with ModRUID2 and Jailed Apache enabled. When I run Security Advisor, I still get the warning:

Kernel does not support the prevention of symlink ownership attacks.

You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.

I have noticed that the ModRUID2 + jailed Apache option has been removed from the documentation for symlink ownership attack protection. Technically, it's true that our kernel doesn't support prevention of symlink ownership attacks, but aren't we still adequately protected with ModRUID2 and jailed Apache?

We don't have the option of Cloudlinux or the cPanel-hardened kernel (neither are allowed on our host's VPS accounts) and the Bluehost patch doesn't provide sufficient protection, so ModRUID2 + jailed Apache has been our go-to solution.

Security Advisor does still give us green checkmarks for:

Jailed Apache is enabled

and

Apache Symlink Protection is enabled

although we don't have the Bluehost patch enabled in Apache's global configuration.

 

[cPanelMichael]

I have noticed that the ModRUID2 + jailed Apache option has been removed from the documentation for symlink ownership attack protection. Technically, it's true that our kernel doesn't support prevention of symlink ownership attacks, but aren't we still adequately protected with ModRUID2 and jailed Apache?

Hello @linux4me2,

Protection at the kernel level is recommended as the most effective approach to prevent symlink attacks , but you are correct that Mod_Ruid2 combined with the "Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option in "WHM >> Tweak Settings" does offer decent protection against symlink attacks. There's a post here where the overall topic of symlink protection is discussed in more detail:

EasyApache4 symlink race protection

Thank you.

 

[linux4me2]

Thanks Michael. I did read that article when I was researching our options, and for some time we were getting by with just setting all our configuration files to 600 permissions. When we were migrated to a KVM VPS from Virtuozzo, I was hopeful that we could use the cPanel-hardened kernel, but the new web host (Liquidweb) doesn't allow custom kernels on their VPS because they say custom kernels can adversely affect the host system. For now, mod_ruid2 and jailshell seem to be the way for us to go. I was really just hoping implementing them would get Security Advisor back to "all green." I miss our "all green" Security Advisor scan. : )