SOLVED Symlink protection not found after upgrading

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
Hello,

i have cPanel installed on a VPS with CentOS 7 Plus. Last week i have installed a Kernelcare license directly from the store of cPanel, following the link on "Security Advisor".

After it, i disinstalled mod_ruid2 in order to install mod_http2 and mpm_worker, which is incompatible with mod_ruid2, and everything was ok.

Last night after upgrading from 76.0.12 to 76.0.13, cPanel notified me that i have not any protection against symlink race condition attack.

Below the output of the license info of kcare and the system.

Code:
kcarectl --license-info
Valid license found for IP XX.XXX.XX.XX
Code:
uname -r
3.10.0-327.4.4.el7.centos.plus.x86_64
But Security Advisor notify me this
Code:
The system kernel is up-to-date at version “3.10.0-862.14.4.el7”.
What have i do?
 
Last edited:

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
I try to answer myself, but i'd like a confirm from someone of cPanel support :)

I found a post of Cloudlinux about instructions to install and config the free symlink patchset on cPanel with Centos 6/7:

Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

Code:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
Execute:

Code:
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Do I have to follow these instructions? Thanks in advance.
 

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
Hi dalem and thanks for the reply,

i created the file syctl.config under /etc/sysconfig/kcare/ and i added the 2 lines.

I run the command

Code:
sysctl -w fs.enforce_symlinksifowner=1
but received this error

Code:
sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory
What's the issue?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,


I've set up a new server with the same kernel as you and kernelcare but I'm not able to replicate a warning about symlink protection. Can you provide a screenshot or the exact verbiage that is notifying you of an error?
 
  • Like
Reactions: rs200

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
Hello,


I've set up a new server with the same kernel as you and kernelcare but I'm not able to replicate a warning about symlink protection. Can you provide a screenshot or the exact verbiage that is notifying you of an error?
Hi Lauren and thanks for the response,

the error is notified me by "Security Advisor", i report it

Code:
Kernel does not support the prevention of symlink ownership attacks.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
This happened after cPanel upgranding from 76.0.12 to 76.0.13, before of this everything was OK!

And i can't see why "Security Advisor" notify me this

Code:
The system kernel is up-to-date at version “3.10.0-862.14.4.el7”.
The kernel is not that, but it's 3.10.0-327.4.4.el7.centos.plus.x86_64

However this is the oputup after "kcarectl --update" command

Code:
Kernel is safe
I suppose something was wrong after that cPanel upgrading.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @rs200


KernelCare applies patches to your currently installed kernel to patch you up to the most recent version. It looks like KernelCare covers the patch you're on:

KernelCare Directory
KernelCare Directory

I'm running KernelCare on an unsupported kernel and I am still unable to get the error you're receiving.

What is the output of the following:

Code:
kcarectl --info
Code:
kcarectl --patch-info
 

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
Hi @rs200

What is the output of the following:

Code:
kcarectl --info
Code:
kcarectl --patch-info
Output of "kcarectl --info" command

Code:
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.4.4.el7.centos.plus.x86_64 ([email protected]                                                                                                                                                             r.dev.centos.org) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP W                                                                                                                                                             ed Jan 6 00:35:56 UTC 2016
kpatch-build-time: Mon Nov  5 13:02:29 2018
kpatch-description: 240-:1544140428;3.10.0-862.14.4.el7
Output of "kcarectl --patch-info" command. I reported first lines and last lines, because is too long and forum doesn't me allow to post entirely.

Code:
OS: centos7-plus
kernel: kernel-plus-3.10.0-327.4.4.el7.centos.plus
time: 2018-11-07 10:56:31

kpatch-name: 3.10.0/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
kpatch-description: KEYS: Fix keyring ref leak in join_session_keyring()
kpatch-kernel: >kernel-3.10.0-327.4.4.el7
kpatch-cve: CVE-2016-0728
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-0728
kpatch-patch-url: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2

kpatch-name: 3.10.0/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
kpatch-description: KEYS: Fix race between key destruction and finding a keyring by name
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-7872
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
kpatch-patch-url: http://git.kernel.org/linus/94c4554ba07adbdde396748ee7ae01e86cf2d8d7

kpatch-name: 3.10.0/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
kpatch-description: KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-7872
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
kpatch-patch-url: http://git.kernel.org/linus/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61

kpatch-name: 3.10.0/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
kpatch-description: KEYS: Don't permit request_key() to construct a new keyring
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-7872
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7872
kpatch-patch-url: http://git.kernel.org/linus/911b79cde95c7da0ec02f48105358a36636b7a71
.......
.......
.......
kpatch-name: 3.10.0/x86-kvm-vmx_vcpu_run-wrapper.patch
kpatch-description: vmx_vcpu_run wrapper
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url:
kpatch-patch-url:

uname: 3.10.0-862.14.4.el7
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
@rs200

That all looks good, can you please open a ticket using the link in my signature? I'd like to see if we can look further into this with access to the affected system. Once open please update here with the ticket ID so we can check in on it.


@baronn while that is an issue it's a completely different kernel version being affected.
 

rs200

Active Member
Dec 4, 2017
40
9
8
Italy
cPanel Access Level
Root Administrator
@rs200

That all looks good, can you please open a ticket using the link in my signature? I'd like to see if we can look further into this with access to the affected system. Once open please update here with the ticket ID so we can check in on it.


@baronn while that is an issue it's a completely different kernel version being affected.
Hi Lauren, the ticket id is 10995477
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @rs200


I just wanted to update this thread with the status of the ticket.

  1. you're running the full kernelcare product which will automatically update your kernel to their most updated version. As mentioned by @vacancy sometimes there can be a gap in between when the kernel is released and when kernelcare patches to support it. That isn't necessarily related to the issue here though.
  2. You're running a CentOS-Plus kernel which is considered a custom kernel. While Kernelcare (the full product) supports this KernelCare Symlink Protection (free patch) does not. So you do not have symlink protection on the server.
  3. It doesn't seem as though you were getting notified that you didn't have symlink protection but that the kernel itself didn't support it. We did find that the documentation was misleading and we subsequently opened a documentation case to have that resolved
  4. The analyst advised you switch to a stock CentOS kernel and provided the following instructions (which I do quite often to test issues on my VPS using the same process)

In order to revert back, you would need to edit '/etc/yum.repos.d/CentOS-Base.repo'. I suggest making a backup of this file before making any changes to it:

Code:
cp /etc/yum.repos.d/CentOS-Base.repo{,.orig}
From there, you will need to make several changes to this file. In particular, the following are the lines that need to change:

Code:
[22:43:42 server [email protected] ~]cPs# egrep -e '^\[' -e '^enabled' -e '^exclude' -e '^includepkgs' /etc/yum.repos.d/CentOS-Base.repo
[base]
exclude=kernel-* grubby-*              <<<=== comment this line out
[updates]
exclude=kernel-* grubby-*              <<<=== comment this line out             
[extras]
exclude=kernel-* grubby-*              <<<=== comment this line out
[centosplus]
enabled=1                                       <<<=== disable this by setting it to 0
exclude=                                         <<<=== comment this line out
includepkgs=kernel-plus*               <<<=== comment this line out
[22:43:53 server [email protected] ~]cPs#
After doing this, you will need to run 'yum update' in order to install a standard CentOS 7 kernel, then you will need to reboot into this kernel.

And if you're uncomfortable making any of these changes you might want to enlist the assistance of a qualified system administrator. If you don't have one already you might find one here: System Administration Services | cPanel Forums

Thanks!


 
  • Like
Reactions: rs200