The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Symlink Race Condition Protection

Discussion in 'Security' started by PCZero, Nov 30, 2016.

  1. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    552
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    Earth
    Tonight I went to WHM - Security Center - Security Advisor. The results were all green light except the following.


    RED - Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.


    YELLOW - Apache Symlink Protection: the Bluehost provided Apache patch is in effectIt appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal. Please review Symlink Race Condition Protection

    When I look into EasyApache 4 I see that these are the currently installed packages...

    Current Profile
    The currently installed packages on the server.

    Apache 2.4
    config
    config-runtime
    mod_bwlimited
    mod_cgi
    mod_dav
    mod_dav_fs
    mod_dav_lock
    mod_deflate
    mod_expires
    mod_headers
    mod_mpm_prefork
    mod_proxy
    mod_proxy_http
    mod_ruid2
    mod_security2
    mod_ssl
    mod_unique_id
    tools

    PHP 5.6
    libc-client
    pear
    php-bcmath
    php-calendar
    php-cli
    php-common
    php-curl
    php-devel
    php-ftp
    php-gd
    php-gettext
    php-iconv
    php-imap
    php-mbstring
    php-mcrypt
    php-mysqlnd
    php-pdo
    php-posix
    php-sockets
    php-xml
    php-zip
    runtime

    Others
    apr
    apr-util
    cpanel-tools
    documentroot
    libmcrypt
    modsec-sdbm-util
    php-cli
    profiles-cpanel



    In Tweak Settings the following are enabled.

    EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell. [?]
    Use cPanel® jailshell by default [?]


    I have read the discussion at Symlink Race Condition Protection - EasyApache - cPanel Documentation but that is very confusing. Please help me fix this!
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    543
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    You are using EA4 on your server so you need to enable Symlink Protection options in the WHM >> Service Configuration >> Apache Configuration

    Code:
    SymlinkProtect On|Off
    SymlinkProtectRoot /var/www/html
     
  3. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    552
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    Earth
    Thanks for the response. When I go to WHM >> Service Configuration >> Apache Configuration have several options and I am guessing that the settinsg you reference should be under Global Configuration, however I am not sure where to make the changes. The only reference to SymLinks I see there are the following

    Directory "/" options
    ExecCGI default
    FollowSymLinks default
    Includes
    IncludesNOEXEC default
    Indexes default
    MultiViews
    SymLinksIfOwnerMatch default

    I am old and stupid thus I need the hold my hand instructions please!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @PCZero,

    This is likely a false positive, and is discussed on the following thread:

    Apache Symlink Protection is enabled

    Additionally, I don't recommend enabling this feature unless it's the only option available on your system. It's documented at:

    cPanel Documentation - BlueHost Patch

    This message is suggesting a kernel-level solution, such as the cPanel hardened kernel. The updated link for EasyApache 4 is:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    @SysSachin, that option is actually only recommended as a last resort if additional symlink protection options aren't possible on the system. In addition, the option isn't available in the UI until cPanel version 62. This is discussed at:

    https://forums.cpanel.net/threads/ea4-and-bluehost-apache-patch.585762

    Thank you.
     
    SysSachin and postcd like this.
  5. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    552
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    Earth
    Michael I do not like the use of that option either. My issue is that I never enabled it and historically I had and still have ruid2 installed. I am still getting these warnings and errors. I am going to read the documentation you linked to see if that offers help. FYI CloudLinux is NOT an option. I will see if hardening the kernel is available to resolve this.

    However I am still concerned about getting that second flag. Again I never did anything to install/enable that. Shoudl I be concerned and do I need to uninstall anything?
     
  6. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    552
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    Earth
    Michael done. I ran the cpanel kernel hardening and all is well. Both issues are no longer being reported. Thanks!
     
    cPanelMichael likes this.
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's not actually enabled by default. That's a false positive and is discussed at:

    Apache Symlink Protection is enabled

    Thanks!
     
Loading...

Share This Page