CloudLinux - CloudLinux Blog - The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare
RSS

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn't exist) - add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Beta: EasyApache 4 updated
Beta: LVE Manager updated
 

Comments 112

Alexandre Parubochyi on Tuesday, 09 January 2018 08:15

Hi,
It usually takes a few days for a fresh kernel to become supported by KernelCare

Hi, It usually takes a few days for a fresh kernel to become supported by KernelCare
Guest - Alec Hanson on Tuesday, 09 January 2018 19:39

That is fantastic thanks.

That is fantastic thanks.
Guest - RS200 on Tuesday, 09 January 2018 08:55

Hi,

i have Centos 7 Plus on my VPS.

Do you support that kernel for the free patch? Thanks in advance

3.10.0-327.4.4.el7.centos.plus.x86_64

Hi, i have Centos 7 Plus on my VPS. Do you support that kernel for the free patch? Thanks in advance 3.10.0-327.4.4.el7.centos.plus.x86_64
Irina Semenova on Tuesday, 09 January 2018 15:34

Hello!
Unfortunately, we do not support that kernel for the free patch now

Hello! Unfortunately, we do not support that kernel for the free patch now
Guest - hasan on Friday, 12 January 2018 18:08

Hi,

fs.enforce_symlinksifowner on any service is = 1 ? Cpanel or Directadmin ,...

and about fs.symlinkown_gid , how to find correct number? is there any command to run in SSH? like: id -g apache

Hi, fs.enforce_symlinksifowner on any service is = 1 ? Cpanel or Directadmin ,... and about fs.symlinkown_gid , how to find correct number? is there any command to run in SSH? like: id -g apache
Kateryna Obiidykhata on Friday, 12 January 2018 20:11

Hello,
yes, for setting this option use - fs.enforce_symlinksifowner = 1

Please find the detailed instructions and settings for Symlink Owner Match Protection in our documentation - https://docs.cloudlinux.com/index.html?symlink_owner_match_protection.html

Hello, yes, for setting this option use - fs.enforce_symlinksifowner = 1 Please find the detailed instructions and settings for Symlink Owner Match Protection in our documentation - https://docs.cloudlinux.com/index.html?symlink_owner_match_protection.html
Guest - Red on Monday, 15 January 2018 12:06

I get "/etc/sysconfig/kcare/sysctl.conf: No such file or directory" on a cPanel server which means when I reboot the patchset is not applied until I run the final steps again:
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99

What can I do to resolve this? Thanks

I get "/etc/sysconfig/kcare/sysctl.conf: No such file or directory" on a cPanel server which means when I reboot the patchset is not applied until I run the final steps again: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99 What can I do to resolve this? Thanks
Alexandre Parubochyi on Tuesday, 16 January 2018 10:14

You can either create the file or just add the values to /etc/sysctl.conf

You can either create the file or just add the values to /etc/sysctl.conf
Guest - Thanos on Tuesday, 13 February 2018 22:31

Although I inserted the two lines:

fs.enforce_symlinksifowner=1
fs.symlinkown_gid=99


in "/etc/sysctl.conf" (the file "/etc/sysconfig/kcare/sysctl.conf" does not exist), I have to run again the commands:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99


after every server reboot, because I get this message:

Kernel symlink protection is not enabled for CentOS 6.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.


I also get the message:

The system kernel is at version “”, but is set to boot to version “2.6.32-696.20.1.el6.x86_64”.
You must take one of the following actions to ensure the system is up-to-date:
Wait a few days for KernelCare to publish a kernel patch.
Reboot the system.


Any ideas how to fix that?

Although I inserted the two lines: [b]fs.enforce_symlinksifowner=1 fs.symlinkown_gid=99[/b] in [b]"/etc/sysctl.conf"[/b] (the file [b]"/etc/sysconfig/kcare/sysctl.conf"[/b] does not exist), I have to run again the commands: [b]sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99[/b] after every server reboot, because I get this message: [b]Kernel symlink protection is not enabled for CentOS 6. You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.[/b] I also get the message: [b]The system kernel is at version “”, but is set to boot to version “2.6.32-696.20.1.el6.x86_64”. You must take one of the following actions to ensure the system is up-to-date: Wait a few days for KernelCare to publish a kernel patch. Reboot the system.[/b] Any ideas how to fix that?
Alexandre Parubochyi on Wednesday, 14 February 2018 16:49

Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.

Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.
Already Registered? Login Here
Guest
Sunday, 17 November 2019

Captcha Image