CloudLinux - CloudLinux Blog - The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare
RSS

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn't exist) - add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Beta: EasyApache 4 updated
Beta: LVE Manager updated
 

Comments 112

Guest - mustafa on Friday, 20 October 2017 23:42

Hello

/etc/sysconfig/kcare/sysctl.conf file does not exist

--

I try
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

I checked /etc/sysctl.conf

But not added
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48

Hello /etc/sysconfig/kcare/sysctl.conf [b]file does not exist[/b] -- I try sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=48 I checked [b]/etc/sysctl.conf[/b] [b]But not added[/b] fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 48
Irina Semenova on Monday, 23 October 2017 10:15

Hello!

The solution for this problem is - to create that file manually.

Hello! The solution for this problem is - to create that file manually.
Guest - Anderson on Wednesday, 25 October 2017 03:48

You can help?

[[email protected]]# kcarectl --set-patch-type free --update
Unknown Kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64)

[[email protected]]# /usr/bin/kcarectl --update
Unknown Kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64)

[[email protected]]# kcarectl --info
Unknown kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64), no patches available

You can help? [[email protected]]# kcarectl --set-patch-type free --update Unknown Kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64) [[email protected]]# /usr/bin/kcarectl --update Unknown Kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64) [[email protected]]# kcarectl --info Unknown kernel (CentOS Linux 3.10.0-693.5.2.el7.x86_64), no patches available
Irina Semenova on Thursday, 26 October 2017 14:21

Hello

We were preparing an update for this kernel. You can check today.

Hello We were preparing an update for this kernel. You can check today.
Guest - s on Wednesday, 25 October 2017 17:17

Hi I did this and manually created sysctl.conf then ran
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99 (for cpanel servers)

It still says "No symlink protection detected" in WHM security advisor.

Hi I did this and manually created sysctl.conf then ran fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 (for cpanel servers) It still says "No symlink protection detected" in WHM security advisor.
Irina Semenova on Thursday, 26 October 2017 14:24

Hello

Sorry for the inconvenience! Unfortunately, Security Advisor does not detect The Symlink Protection patches.
We are working closely with cPanel to fix it.

Now, you could ignore such message. Your kernel is protected if the patch was applied.

Note: Do not switch on Apache Symlink Protection

Hello Sorry for the inconvenience! Unfortunately, Security Advisor does not detect The Symlink Protection patches. We are working closely with cPanel to fix it. Now, you could ignore such message. Your kernel is protected if the patch was applied. Note: Do not switch on Apache Symlink Protection
Guest - Alex on Monday, 30 October 2017 19:55

Hello,

I just installed the patch on cloud sever running "CENTOS 7.4 kvm" " WHM: v66.0.29".
I rebooted the server multiple times and i still see the message "You must reboot the server to apply kernel updates." on WHM.

Hello, I just installed the patch on cloud sever running "CENTOS 7.4 kvm" " WHM: v66.0.29". I rebooted the server multiple times and i still see the message "You must reboot the server to apply kernel updates." on WHM.
Irina Semenova on Monday, 13 November 2017 11:22

Hello!
This is a known problem. A resolution for this case is planned for inclusion with cPanel version 68 and will ensure the reboot warning does not appear on systems using a custom kernel.
You may ignore that warning

Hello! This is a known problem. A resolution for this case is planned for inclusion with cPanel version 68 and will ensure the reboot warning does not appear on systems using a custom kernel. You may ignore that warning
Guest - Mehmood Ahmed on Sunday, 12 November 2017 08:41

In CENTOS 7.4 kvm v68.0.12

uname -r
3.10.0-693.5.2.el7.x86_64

kcarectl --info

kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017
kpatch-build-time: Tue Oct 24 22:49:09 2017
kpatch-description: 2-free;3.10.0-693.5.2.el7

But in security advisor its showing

No symlink protection detected

You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

may i ignore that warning, pls help

In CENTOS 7.4 kvm v68.0.12 uname -r 3.10.0-693.5.2.el7.x86_64 kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017 kpatch-build-time: Tue Oct 24 22:49:09 2017 kpatch-description: 2-free;3.10.0-693.5.2.el7 But in security advisor its showing No symlink protection detected You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs. may i ignore that warning, pls help
Igor Seletskiy on Wednesday, 15 November 2017 15:27

Security advisor doesn't know yet how to detect it. cPanel is working on it. You can ignore the warning.

Security advisor doesn't know yet how to detect it. cPanel is working on it. You can ignore the warning.
Already Registered? Login Here
Guest
Friday, 15 November 2019

Captcha Image