Imunify360 and Imunify Sensor Blog

The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here

The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here

The KernelCare extra patchset includes all the security fixes from KernelCare for CentOS 6 and CentOS 7, as well as the symlink protection against a symlink race.

A symlink race attack is often used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to other users.

This extra patchset also includes the IPSet bugfix for CentOS 6.

We recommend you install this patchset for KernelCare running on CentOS 6 and CentOS 7. It is a requirement for Imunify360 for CentOS 6.

Note. For CloudLinux OS users this patch has already been compiled in the kernel.

The extra patchset is available in version 2.12-5 and newer. 

To enable extra patches and apply patch, run:

kcarectl --set-patch-type extra --update

To enable extra patches without update, run

kcarectl --set-patch-type extra

The ‘extra’ patch will be applied on the next automatic update.

To see details run:

kcarectl --patch-info

You should see something similar to:

OS: centos6
kernel: kernel-2.6.32-696.6.3.el6
time: 2017-07-31 22:46:22
uname: 2.6.32-696.6.3.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/ipset-fix-list-shrinking.patch
kpatch-description: fix ipset list shrinking for no reason
kpatch-kernel: N/A
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://bugs.centos.org/view.php?id=13499

To enable Symlink Owner Match Protection, add the following lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48

Into /etc/sysconfig/kcare/sysctl.conf.

And run:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

See http://docs.cloudlinux.com/index.html?symlink_owner_match_protection.html for details.

Click here to learn more about KernelCare.

Topic: Imunify360 Blog KernelCare Blog

6132 people viewed this

Comments (15)

 
by Guest - john / Tuesday, 22 August 2017 19:19

not working for me, plus you type some of it wrong

kcarectl --set-patch-type extra --update
usage: kcarectl [-h] [-i] [-u] [--unload] [--smart-update] [--auto-update]
[--local PATH] [--patch-info] [--freezer freezer] [--nofreeze]
[--force] [--uname] [--license-info] [--import-key PATH]
[--register KEY] [--register-autoretry] [--unregister]
[--check] [--test] [--prefix PREFIX] [--test-s3]
[--aws-access-key KEY] [--aws-secret-key KEY]
[--aws-region REGION] [--aws-bucket BUCKET]
[--aws-prefix PREFIX] [--nosignature]
[--set-monitoring-key KEY] [--doctor] [--enable-auto-update]
[--disable-auto-update] [--plugin-info] [--version]
kcarectl: error: unrecognized arguments: --set-patch-type extra


not working for me, plus you type some of it wrong kcarectl --set-patch-type extra --update usage: kcarectl [-h] [-i] [-u] [--unload] [--smart-update] [--auto-update] [--local PATH] [--patch-info] [--freezer freezer] [--nofreeze] [--force] [--uname] [--license-info] [--import-key PATH] [--register KEY] [--register-autoretry] [--unregister] [--check] [--test] [--prefix PREFIX] [--test-s3] [--aws-access-key KEY] [--aws-secret-key KEY] [--aws-region REGION] [--aws-bucket BUCKET] [--aws-prefix PREFIX] [--nosignature] [--set-monitoring-key KEY] [--doctor] [--enable-auto-update] [--disable-auto-update] [--plugin-info] [--version] kcarectl: error: unrecognized arguments: --set-patch-type extra
by Igor Seletskiy / Wednesday, 23 August 2017 02:07

Make sure you have the latest version of kernelcare. Do yum update kernelcare --> it should help.

Make sure you have the latest version of kernelcare. Do yum update kernelcare --> it should help.
by Guest - adm / Tuesday, 22 August 2017 20:07

kcarectl --set-patch-type extra --update
'extra' patch type selected
Downloading updates
HTTP Error 404: Not Found, Retrying in 3 seconds...
HTTP Error 404: Not Found, Retrying in 6 seconds...
HTTP Error 404: Not Found, Retrying in 12 seconds...
HTTP Error 404: Not Found

kcarectl --set-patch-type extra --update 'extra' patch type selected Downloading updates HTTP Error 404: Not Found, Retrying in 3 seconds... HTTP Error 404: Not Found, Retrying in 6 seconds... HTTP Error 404: Not Found, Retrying in 12 seconds... HTTP Error 404: Not Found
by Igor Seletskiy / Wednesday, 23 August 2017 02:08

It is only for CentOS. CloudLinux OS doesn't need that patch, as it is already included into native kernel.

It is only for CentOS. CloudLinux OS doesn't need that patch, as it is already included into native kernel.
by Guest - Carlos / Wednesday, 23 August 2017 10:40

So now, how can we disable the extra patch to avoid 404 in all updates?

So now, how can we disable the extra patch to avoid 404 in all updates?
by Igor Seletskiy / Wednesday, 23 August 2017 12:12

kcarectl --set-patch-type default

kcarectl --set-patch-type default
by Guest - Chris Maxwell / Thursday, 05 October 2017 08:38

I think this information should be made more visible - i've been looking to find out if, as a CloudLinux customer, we needed to install this on our servers. I suggest adding a line to the article stating that it's not needed if you're using CloudLinux - this will help a lot of users.

I think this information should be made more visible - i've been looking to find out if, as a CloudLinux customer, we needed to install this on our servers. I suggest adding a line to the article stating that it's not needed if you're using CloudLinux - this will help a lot of users.
by Kateryna Obiidykhata / Friday, 06 October 2017 09:52

Thank you for your feedback! We appreciate your notice and will add this information to the article.

Thank you for your feedback! We appreciate your notice and will add this information to the article.
by Guest - Joe / Wednesday, 23 August 2017 15:41

Awesome! Keep in mind you also need to enable set fs.symlinkown_gid accordingly for this to work correctly. For cPanel servers, this would be fs.symlinkown_gid=99

Awesome! Keep in mind you also need to enable set fs.symlinkown_gid accordingly for this to work correctly. For cPanel servers, this would be fs.symlinkown_gid=99
by Guest - Alejandro / Wednesday, 15 November 2017 14:14

When running this

# yum update kernelcare
Loaded plugins: fastestmirror, rhnplugin
Setting up Update Process
Loading mirror speeds from cached hostfile
* cpanel-addons-production-feed: 74.50.120.123
* cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
No Packages marked for Update

# kcarectl --set-patch-type extra
'extra' patch type is unavailable for current kernel

# uname -a
Linux xxx.xxx 2.6.32-673.26.1.lve1.4.18.el6.x86_64 #1 SMP Fri Oct 21 11:58:14 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

What might be wrong?

When running this # yum update kernelcare Loaded plugins: fastestmirror, rhnplugin Setting up Update Process Loading mirror speeds from cached hostfile * cpanel-addons-production-feed: 74.50.120.123 * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com No Packages marked for Update # kcarectl --set-patch-type extra 'extra' patch type is unavailable for current kernel # uname -a Linux xxx.xxx 2.6.32-673.26.1.lve1.4.18.el6.x86_64 #1 SMP Fri Oct 21 11:58:14 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux What might be wrong?
by Guest - Alejandro / Wednesday, 15 November 2017 14:21

Forget my last post, I have read again just to find

Note. For CloudLinux OS users this patch has already been compiled in the kernel.

Forget my last post, I have read again just to find Note. For CloudLinux OS users this patch has already been compiled in the kernel.
by Guest - Samet Chan / Wednesday, 13 December 2017 16:57

Will you support for Debian and Plesk onyx for install this kernelcare?

Will you support for Debian and Plesk onyx for install this kernelcare?
by Igor Seletskiy / Wednesday, 13 December 2017 17:03

Debian/Plesk should be supported with KC extension

Debian/Plesk should be supported with KC extension
by Guest - Alessio / Tuesday, 30 January 2018 14:58

not working for me:

[email protected] [~]# kcarectl --set-patch-type extra --update
Unknown Kernel (CentOS Linux 3.10.0-693.17.1.el7.x86_64)
[email protected] [~]# kcarectl --patch-info
Unknown kernel (CentOS Linux 3.10.0-693.17.1.el7.x86_64), no patches available
[email protected] [~]# yum update kernelcare
Plugin abilitati:fastestmirror, priorities, tsflags, universal-hooks
EA4 | 3.0 kB 00:00:00
cpanel-addons-production-feed | 2.9 kB 00:00:00
cpanel-plugins | 2.9 kB 00:00:00
kernelcare | 2.6 kB 00:00:00
stable-arch | 951 B 00:00:00
stable-generic | 951 B 00:00:00
stable-noarch | 951 B 00:00:00
system-base | 3.6 kB 00:00:00
system-extras | 3.4 kB 00:00:00
system-updates-released | 3.4 kB 00:00:00
Loading mirror speeds from cached hostfile
* EA4: 208.100.0.204
* cpanel-addons-production-feed: 208.100.0.204
23 packages excluded due to repository priority protections
No packages marked for update

not working for me: [quote][email protected] [~]# kcarectl --set-patch-type extra --update Unknown Kernel (CentOS Linux 3.10.0-693.17.1.el7.x86_64) [email protected] [~]# kcarectl --patch-info Unknown kernel (CentOS Linux 3.10.0-693.17.1.el7.x86_64), no patches available [email protected] [~]# yum update kernelcare Plugin abilitati:fastestmirror, priorities, tsflags, universal-hooks EA4 | 3.0 kB 00:00:00 cpanel-addons-production-feed | 2.9 kB 00:00:00 cpanel-plugins | 2.9 kB 00:00:00 kernelcare | 2.6 kB 00:00:00 stable-arch | 951 B 00:00:00 stable-generic | 951 B 00:00:00 stable-noarch | 951 B 00:00:00 system-base | 3.6 kB 00:00:00 system-extras | 3.4 kB 00:00:00 system-updates-released | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * EA4: 208.100.0.204 * cpanel-addons-production-feed: 208.100.0.204 23 packages excluded due to repository priority protections No packages marked for update [/quote]
by Alexandre Parubochyi / Wednesday, 31 January 2018 13:03

This version is in the list of supported. Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.

This version is in the list of supported. Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.

Leave your comment

Guest, Monday, 23 April 2018

Captcha Image