Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Symlink protection not found after upgrading

Discussion in 'Security' started by rs200, Dec 12, 2018.

  1. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hello,

    i have cPanel installed on a VPS with CentOS 7 Plus. Last week i have installed a Kernelcare license directly from the store of cPanel, following the link on "Security Advisor".

    After it, i disinstalled mod_ruid2 in order to install mod_http2 and mpm_worker, which is incompatible with mod_ruid2, and everything was ok.

    Last night after upgrading from 76.0.12 to 76.0.13, cPanel notified me that i have not any protection against symlink race condition attack.

    Below the output of the license info of kcare and the system.

    Code:
    kcarectl --license-info
    Valid license found for IP XX.XXX.XX.XX
    
    Code:
    uname -r
    3.10.0-327.4.4.el7.centos.plus.x86_64
    
    But Security Advisor notify me this
    Code:
    The system kernel is up-to-date at version “3.10.0-862.14.4.el7”.
    What have i do?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 rs200, Dec 12, 2018
    Last edited: Dec 12, 2018
  2. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    I try to answer myself, but i'd like a confirm from someone of cPanel support :)

    I found a post of Cloudlinux about instructions to install and config the free symlink patchset on cPanel with Centos 6/7:

    Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

    Code:
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 48
    Execute:

    Code:
    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=48
    Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

    Do I have to follow these instructions? Thanks in advance.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,909
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Yes but it should be

    Code:
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi dalem and thanks for the reply,

    i created the file syctl.config under /etc/sysconfig/kcare/ and i added the 2 lines.

    I run the command

    Code:
    sysctl -w fs.enforce_symlinksifowner=1
    but received this error

    Code:
    sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory
    What's the issue?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,909
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    don't think CL has a patch set for your Kennel yet

    kcarectl --update


    an it will tell you
    unsure if it covers the
    centos.plus kernel
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    I've set up a new server with the same kernel as you and kernelcare but I'm not able to replicate a warning about symlink protection. Can you provide a screenshot or the exact verbiage that is notifying you of an error?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rs200 likes this.
  7. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi Lauren and thanks for the response,

    the error is notified me by "Security Advisor", i report it

    Code:
    Kernel does not support the prevention of symlink ownership attacks.
    You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
    
    This happened after cPanel upgranding from 76.0.12 to 76.0.13, before of this everything was OK!

    And i can't see why "Security Advisor" notify me this

    Code:
    The system kernel is up-to-date at version “3.10.0-862.14.4.el7”.
    The kernel is not that, but it's 3.10.0-327.4.4.el7.centos.plus.x86_64

    However this is the oputup after "kcarectl --update" command

    Code:
    Kernel is safe
    I suppose something was wrong after that cPanel upgrading.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @rs200


    KernelCare applies patches to your currently installed kernel to patch you up to the most recent version. It looks like KernelCare covers the patch you're on:

    KernelCare Directory
    KernelCare Directory

    I'm running KernelCare on an unsupported kernel and I am still unable to get the error you're receiving.

    What is the output of the following:

    Code:
    kcarectl --info
    Code:
    kcarectl --patch-info
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Output of "kcarectl --info" command

    Code:
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-327.4.4.el7.centos.plus.x86_64 ([email protected]                                                                                                                                                             r.dev.centos.org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP W                                                                                                                                                             ed Jan 6 00:35:56 UTC 2016
    kpatch-build-time: Mon Nov  5 13:02:29 2018
    kpatch-description: 240-:1544140428;3.10.0-862.14.4.el7
    
    Output of "kcarectl --patch-info" command. I reported first lines and last lines, because is too long and forum doesn't me allow to post entirely.

    Code:
    OS: centos7-plus
    kernel: kernel-plus-3.10.0-327.4.4.el7.centos.plus
    time: 2018-11-07 10:56:31
    
    kpatch-name: 3.10.0/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
    kpatch-description: KEYS: Fix keyring ref leak in join_session_keyring()
    kpatch-kernel: >kernel-3.10.0-327.4.4.el7
    kpatch-cve: CVE-2016-0728
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728
    kpatch-patch-url: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2
    
    kpatch-name: 3.10.0/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
    kpatch-description: KEYS: Fix race between key destruction and finding a keyring by name
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-7872
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
    kpatch-patch-url: http://git.kernel.org/linus/94c4554ba07adbdde396748ee7ae01e86cf2d8d7
    
    kpatch-name: 3.10.0/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
    kpatch-description: KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-7872
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
    kpatch-patch-url: http://git.kernel.org/linus/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61
    
    kpatch-name: 3.10.0/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
    kpatch-description: KEYS: Don't permit request_key() to construct a new keyring
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-7872
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
    kpatch-patch-url: http://git.kernel.org/linus/911b79cde95c7da0ec02f48105358a36636b7a71
    .......
    .......
    .......
    kpatch-name: 3.10.0/x86-kvm-vmx_vcpu_run-wrapper.patch
    kpatch-description: vmx_vcpu_run wrapper
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url:
    kpatch-patch-url:
    
    uname: 3.10.0-862.14.4.el7
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. baronn

    baronn Member

    Joined:
    Dec 27, 2017
    Messages:
    24
    Likes Received:
    6
    Trophy Points:
    3
    Location:
    manchester
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @rs200

    That all looks good, can you please open a ticket using the link in my signature? I'd like to see if we can look further into this with access to the affected system. Once open please update here with the ticket ID so we can check in on it.


    @baronn while that is an issue it's a completely different kernel version being affected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rs200

    rs200 Member

    Joined:
    Dec 4, 2017
    Messages:
    23
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi Lauren, the ticket id is 10995477
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  13. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    278
    Likes Received:
    65
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The first kernel of centos 7.6 was not patched by cloudlinux-kernelcare for 15-16 days.

    I will cancel my kernelcare licenses as soon as possible.
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @rs200


    I just wanted to update this thread with the status of the ticket.

    1. you're running the full kernelcare product which will automatically update your kernel to their most updated version. As mentioned by @vacancy sometimes there can be a gap in between when the kernel is released and when kernelcare patches to support it. That isn't necessarily related to the issue here though.
    2. You're running a CentOS-Plus kernel which is considered a custom kernel. While Kernelcare (the full product) supports this KernelCare Symlink Protection (free patch) does not. So you do not have symlink protection on the server.
    3. It doesn't seem as though you were getting notified that you didn't have symlink protection but that the kernel itself didn't support it. We did find that the documentation was misleading and we subsequently opened a documentation case to have that resolved
    4. The analyst advised you switch to a stock CentOS kernel and provided the following instructions (which I do quite often to test issues on my VPS using the same process)

    In order to revert back, you would need to edit '/etc/yum.repos.d/CentOS-Base.repo'. I suggest making a backup of this file before making any changes to it:

    Code:
    cp /etc/yum.repos.d/CentOS-Base.repo{,.orig}
    From there, you will need to make several changes to this file. In particular, the following are the lines that need to change:

    Code:
    [22:43:42 server [email protected] ~]cPs# egrep -e '^\[' -e '^enabled' -e '^exclude' -e '^includepkgs' /etc/yum.repos.d/CentOS-Base.repo
    [base]
    exclude=kernel-* grubby-*              <<<=== comment this line out
    [updates]
    exclude=kernel-* grubby-*              <<<=== comment this line out             
    [extras]
    exclude=kernel-* grubby-*              <<<=== comment this line out
    [centosplus]
    enabled=1                                       <<<=== disable this by setting it to 0
    exclude=                                         <<<=== comment this line out
    includepkgs=kernel-plus*               <<<=== comment this line out
    [22:43:53 server [email protected] ~]cPs# 
    After doing this, you will need to run 'yum update' in order to install a standard CentOS 7 kernel, then you will need to reboot into this kernel.

    And if you're uncomfortable making any of these changes you might want to enlist the assistance of a qualified system administrator. If you don't have one already you might find one here: System Administration Services | cPanel Forums

    Thanks!


     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rs200 likes this.
  15. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    278
    Likes Received:
    65
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice