KernelCare Blog

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Topic: KernelCare Blog , Tags: #cPanel,

11785 people viewed this

Comments (98)

 
by Irina Semenova / Tuesday, 10 October 2017 12:33

Yes, we have changed the instructions for this patchset.

Yes, we have changed the instructions for this patchset.
by Guest - jamaludin / Saturday, 07 October 2017 02:44

Hi, i need some question:
1. Is it compatible with this existing kernel server from cPanel ?https://documentation.cpanel.net/display/CKB/How+to+Harden+Your+cPanel+System's+Kernel
[[email protected]]# uname -a
Linux ~server.com 2.6.32-696.299.10.3.cp6.x86_64 #1 SMP Thu Sep 28 21:04:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

2. Is it compatible for VPS virtuozzo or only VPS KVM / Server?

Waiting for your info?

Hi, i need some question: 1. Is it compatible with this existing kernel server from cPanel ?https://documentation.cpanel.net/display/CKB/How+to+Harden+Your+cPanel+System's+Kernel [[email protected]]# uname -a Linux ~server.com 2.6.32-696.299.10.3.cp6.x86_64 #1 SMP Thu Sep 28 21:04:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 2. Is it compatible for VPS virtuozzo or only VPS KVM / Server? Waiting for your info?
by Irina Semenova / Tuesday, 10 October 2017 12:52

1. No, we do not support this kernels. This kernel is deprecated (as you can find here https://documentation.cpanel.net/display/CKB/How+to+Harden+Your+cPanel+System's+Kernel)

2. It is compatible only with virtual machines or server. It is not compatible with containers.

1. No, we do not support this kernels. This kernel is deprecated (as you can find here https://documentation.cpanel.net/display/CKB/How+to+Harden+Your+cPanel+System's+Kernel) 2. It is compatible only with virtual machines or server. It is not compatible with containers.
by Guest - Guest / Thursday, 12 October 2017 15:59

Wow, so the instructions changed yet again?

I'm just going to wait a couple of month, perhaps by then all of the details will be ironed out.

Wow, so the instructions changed yet again? I'm just going to wait a couple of month, perhaps by then all of the details will be ironed out.
by Irina Semenova / Thursday, 12 October 2017 19:11

I apologize for the inconvenience!
We have eliminated errors and implemented changes. Now you can confidently use these instructions to get the patches.

I apologize for the inconvenience! We have eliminated errors and implemented changes. Now you can confidently use these instructions to get the patches.
by Guest - Guest / Thursday, 12 October 2017 22:28

Well, I can understand that instructions can change. But how are people suppose to know to update their setups if they've already installed this and then never went back to this page?

Well, I can understand that instructions can change. But how are people suppose to know to update their setups if they've already installed this and then never went back to this page?
by Irina Semenova / Monday, 16 October 2017 09:23

Thank you for your reply!

We will create a post about changes next time ;)

Thank you for your reply! We will create a post about changes next time ;)
by Guest - mustafa / Friday, 13 October 2017 00:35

Hello

First kernel update and later Cpanel install

Or

First Cpanel install and later kernel update required?

Thanks

Hello First kernel update and later Cpanel install Or First Cpanel install and later kernel update required? Thanks
by Irina Semenova / Monday, 16 October 2017 09:21

Hello!

You can first do kernel update, because if you would install cPanel first, cPanel would ask for update.
To learn more information you can look at cPanel documentation.

Hello! You can first do kernel update, because if you would install cPanel first, cPanel would ask for update. To learn more information you can look at cPanel documentation.
by Guest - mustafa / Saturday, 14 October 2017 22:38

Hello

I installed fresh centos 6.9 and try,

[[email protected]]# kcarectl --set-patch-type free --update
'free' patch type selected
Downloading updates
Patch Level 208 applied, effective kernel version 2.6.32-696.13.2.el6
Updates already downloaded
Kernel is safe


[[email protected]]# nano /etc/sysconfig/kcare/sysctl.conf
NOT FOUND

Any problem?

Hello I installed fresh centos 6.9 and try, [[email protected]]# kcarectl --set-patch-type free --update 'free' patch type selected Downloading updates Patch Level 208 applied, effective kernel version 2.6.32-696.13.2.el6 [b]Updates already downloaded Kernel is safe[/b] [[email protected]]# nano /etc/sysconfig/kcare/sysctl.conf NOT FOUND Any problem?
by Irina Semenova / Monday, 16 October 2017 09:19

Hello!

Could you, please, create a support ticket? We would need the output of the following command (run it as root on the server):
kcarectl --doctor

We will help you shortly!

Hello! Could you, please, create a support ticket? We would need the output of the following command (run it as root on the server): kcarectl --doctor We will help you shortly!
by Guest - sg / Wednesday, 18 October 2017 22:23

same issue here

same issue here
by Guest - Kailash / Tuesday, 17 October 2017 12:31

If I am using cPanel with Apache, do I need to use following line:

fs.symlinkown_gid=99

"99" instead of "48"?

Thanks,
Kailash

If I am using cPanel with Apache, do I need to use following line: fs.symlinkown_gid=99 "99" instead of "48"? Thanks, Kailash
by Irina Semenova / Thursday, 19 October 2017 13:27

Hello!

Yes, you need to use it.

Regards,
Irina

Hello! Yes, you need to use it. Regards, Irina
by Guest - Rodrigo / Thursday, 19 October 2017 19:01

Same issue here²

I created the file manually, is this a problem?

Same issue here² I created the file manually, is this a problem?
by Irina Semenova / Monday, 23 October 2017 10:16

Hello, Rodrigo!

Yes, this is a solution.

Hello, Rodrigo! Yes, this is a solution.
by Guest - sg / Wednesday, 18 October 2017 22:21

/etc/sysconfig/kcare/sysctl.conf file does not exist

/etc/sysconfig/kcare/sysctl.conf file does not exist
by Irina Semenova / Monday, 23 October 2017 10:16

Hello!

In case of such problem, you can create that file manually.

Hello! In case of such problem, you can create that file manually.
by Guest - Esteban / Friday, 20 October 2017 02:39

HI!

1) Thanks.
2) Is this going to be available on further cpanel/whm centos kernel updates?

HI! 1) Thanks. 2) Is this going to be available on further cpanel/whm centos kernel updates?
by Irina Semenova / Monday, 23 October 2017 11:45

2) It will not be compatible with containers... KC applies this patch to the kernel. Container can not do anything with kernel.

2) It will not be compatible with containers... KC applies this patch to the kernel. Container can not do anything with kernel.
1 2 3 4 5

Leave your comment

Guest, Thursday, 19 July 2018

Captcha Image