KernelCare Blog

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Topic: KernelCare Blog , Tags: #cPanel,

16285 people viewed this

Comments (102)

 
by Guest - Youssef B. / Wednesday, 04 October 2017 23:44

Thank you,
But it doesn't work for me.

..
Running Transaction
Installing : kernelcare-2.13-1.x86_64 1/1
Requesting trial license for 89.x.x.x, please wait...
HTTP Error 403: Forbidden, Retrying in 3 seconds...
Requesting trial license for 89.x.x.x, please wait...
HTTP Error 403: Forbidden, Retrying in 6 seconds...
Verifying : kernelcare-2.13-1.x86_64 1/1

Installed:
kernelcare.x86_64 0:2.13-1

Complete!
[[email protected] src]# kcarectll --set-patch-type free
-bash: kcarectll: command not found

Thank you, But it doesn't work for me. .. Running Transaction Installing : kernelcare-2.13-1.x86_64 1/1 Requesting trial license for 89.x.x.x, please wait... [b]HTTP Error 403: Forbidden[/b], Retrying in 3 seconds... Requesting trial license for 89.x.x.x, please wait... [b]HTTP Error 403: Forbidden[/b], Retrying in 6 seconds... Verifying : kernelcare-2.13-1.x86_64 1/1 Installed: kernelcare.x86_64 0:2.13-1 Complete! [[email protected] src]# kcarectll --set-patch-type free [b]-bash: kcarectll: command not found[/b]
by Igor Seletskiy / Thursday, 05 October 2017 00:49

sorry, it should have been:
kcarectl --set-patch-type free

sorry, it should have been: kcarectl --set-patch-type free
by Guest - Micheal / Thursday, 05 October 2017 21:32

Thank you for this support.

Are patches disabled in kernel updates we made manually?

Thank you for this support. Are patches disabled in kernel updates we made manually?
by Igor Seletskiy / Thursday, 05 October 2017 21:35

I am sorry, I don't know what you mean.

I am sorry, I don't know what you mean.
by Guest - Aneesh / Friday, 06 October 2017 14:05

Should we install this on CloudLinux ? When I tried to install it says

'free' patch type is unavailable for current kernel

Should we install this on CloudLinux ? When I tried to install it says 'free' patch type is unavailable for current kernel
by Igor Seletskiy / Friday, 06 October 2017 14:18

CloudLinux kernel has it built in out of the box / it is not needed on CloudLinux servers.

CloudLinux kernel has it built in out of the box / it is not needed on CloudLinux servers.
by Guest - Nik / Friday, 06 October 2017 14:23

If we use CloudLinux OS, is this already enabled? or we have to enable it as CentOS?

If we use CloudLinux OS, is this already enabled? or we have to enable it as CentOS?
by Igor Seletskiy / Friday, 06 October 2017 14:26

CloudLinux kernel has it built in out of the box / it is not needed on CloudLinux servers.

CloudLinux kernel has it built in out of the box / it is not needed on CloudLinux servers.
by Guest - Nik / Friday, 06 October 2017 14:38

Something is not working properly (using latest cpanel on CentOS 7)

[[email protected] ~]# nano /etc/sysconfig/kcare/sysctl.conf (file did not exist)
[[email protected] ~]# sysctl -w fs.enforce_symlinksifowner=1
sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory

Also, i didn't het any mesg as per your "During the installation, you should see something similar to"

Something is not working properly (using latest cpanel on CentOS 7) [[email protected] ~]# nano /etc/sysconfig/kcare/sysctl.conf (file did not exist) [[email protected] ~]# sysctl -w fs.enforce_symlinksifowner=1 sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory Also, i didn't het any mesg as per your "During the installation, you should see something similar to"
by Igor Seletskiy / Friday, 06 October 2017 14:48

please, provide output of: kcarectl --info
and
uname -r

please, provide output of: kcarectl --info and uname -r
by Guest - Nik / Friday, 06 October 2017 14:50

[[email protected] ~]# kcarectl --info
Update available, run 'kcarectl --update'.
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-693.2.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Sep 12 22:26:13 UTC 2017
kpatch-build-time: Fri Sep 15 08:40:24 2017
kpatch-description: 3-;3.10.0-693.2.2.el7

[[email protected] ~]# uname -r
3.10.0-693.2.2.el7.x86_64

[[email protected] ~]# kcarectl --info Update available, run 'kcarectl --update'. kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-693.2.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Sep 12 22:26:13 UTC 2017 kpatch-build-time: Fri Sep 15 08:40:24 2017 kpatch-description: 3-;3.10.0-693.2.2.el7 [[email protected] ~]# uname -r 3.10.0-693.2.2.el7.x86_64
by Igor Seletskiy / Friday, 06 October 2017 15:27

you are running 'default' patchset, probably because of the trial license.

Make sure you switch to free patchset by running:
kcarectl --set-patch-type free

Or you can do extra (includes kernel security patches):
kcarectl --set-patch-type extra
Yet, that will expire as trial runs out.

you are running 'default' patchset, probably because of the trial license. Make sure you switch to free patchset by running: kcarectl --set-patch-type free Or you can do extra (includes kernel security patches): kcarectl --set-patch-type extra Yet, that will expire as trial runs out.
by Guest - Nik / Friday, 06 October 2017 15:58

[[email protected] ~]# kcarectl --set-patch-type free
'free' patch type selected

[[email protected] ~]# kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-693.2.2.el7.x86_64 ([email protected] .org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Sep 12 2 2:26:13 UTC 2017
kpatch-build-time: Fri Sep 15 09:06:46 2017
kpatch-description: 3-free;3.10.0-693.2.2.el7

[[email protected] ~]# uname -r
3.10.0-693.2.2.el7.x86_64

[[email protected] ~]# kcarectl --set-patch-type free 'free' patch type selected [[email protected] ~]# kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-693.2.2.el7.x86_64 ([email protected] .org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Sep 12 2 2:26:13 UTC 2017 kpatch-build-time: Fri Sep 15 09:06:46 2017 kpatch-description: 3-free;3.10.0-693.2.2.el7 [[email protected] ~]# uname -r 3.10.0-693.2.2.el7.x86_64
by Guest - Guest / Friday, 06 October 2017 18:50

Igor, I have followed your instructions but in cPanel (v66.0.24) security advisor I receive the following alert -

Kernel symlink protection is not enabled for CentOS 6. You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.
. How can I resolve this issue?

Output of kcarectl --info
Unknown kernel (CentOS 2.6.32-696.13.2.el6.x86_64), no patches available

Output of uname -r
2.6.32-696.13.2.el6.x86_64

Igor, I have followed your instructions but in cPanel (v66.0.24) security advisor I receive the following alert - [quote]Kernel symlink protection is not enabled for CentOS 6. You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.[/quote]. How can I resolve this issue? [b]Output of kcarectl --info[/b] Unknown kernel (CentOS 2.6.32-696.13.2.el6.x86_64), no patches available [b]Output of uname -r[/b] 2.6.32-696.13.2.el6.x86_64
by Irina Semenova / Tuesday, 10 October 2017 12:58

Hello! Sorry for the inconvenience!
We have added update for CentOS 2.6.32-696.13.2.el6.x86_64 so you can check the patch now

Hello! Sorry for the inconvenience! We have added update for CentOS 2.6.32-696.13.2.el6.x86_64 so you can check the patch now
by Guest - Zarren / Friday, 06 October 2017 18:58


Hello

Will patch be corrupted if I do kernel update?

[b] Hello Will patch be corrupted if I do kernel update?[/b]
by Irina Semenova / Tuesday, 10 October 2017 12:45

Hi
Your patch will not be corrupted.

Hi Your patch will not be corrupted.
by Guest - Lord55 / Friday, 06 October 2017 19:26

[[email protected] ~]# kcarectl --set-patch-type free
Unknown Kernel (CentOS 2.6.32-696.13.2.el6.x86_64)

[[email protected] ~]# kcarectl --info
Unknown kernel (CentOS 2.6.32-696.13.2.el6.x86_64), no patches available

[[email protected] ~]# kcarectl --set-patch-type free Unknown Kernel (CentOS 2.6.32-696.13.2.el6.x86_64) [[email protected] ~]# kcarectl --info Unknown kernel (CentOS 2.6.32-696.13.2.el6.x86_64), no patches available
by Irina Semenova / Tuesday, 10 October 2017 12:42

Sorry, we have added update for this patch yesterday. So you can check for the update now.

Sorry, we have added update for this patch yesterday. So you can check for the update now.
by Guest - Guest / Friday, 06 October 2017 20:20

Did the instructions for installing this change?

I thought the original instructions had

fs.protected_symlinks_create=1
fs.protected_hardlinks_create=1


in the /etc/sysconfig/kcare/sysctl.conf file.

You may want to make a note if the instructions changed.

Did the instructions for installing this change? I thought the original instructions had [b]fs.protected_symlinks_create=1 fs.protected_hardlinks_create=1 [/b] in the [b]/etc/sysconfig/kcare/sysctl.conf[/b] file. You may want to make a note if the instructions changed.
1 2 3 4 5 6

Leave your comment

Guest, Thursday, 13 December 2018

Captcha Image