CloudLinux - CloudLinux Blog - The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare
KernelCare Blog

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn't exist) - add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Beta: EasyApache 4 updated
Beta: LVE Manager updated
 

Comments 95

Guest - Alex on Monday, 30 October 2017 19:55

Hello,

I just installed the patch on cloud sever running "CENTOS 7.4 kvm" " WHM: v66.0.29".
I rebooted the server multiple times and i still see the message "You must reboot the server to apply kernel updates." on WHM.

Hello, I just installed the patch on cloud sever running "CENTOS 7.4 kvm" " WHM: v66.0.29". I rebooted the server multiple times and i still see the message "You must reboot the server to apply kernel updates." on WHM.
Guest - Mehmood Ahmed on Sunday, 12 November 2017 08:41

In CENTOS 7.4 kvm v68.0.12

uname -r
3.10.0-693.5.2.el7.x86_64

kcarectl --info

kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017
kpatch-build-time: Tue Oct 24 22:49:09 2017
kpatch-description: 2-free;3.10.0-693.5.2.el7

But in security advisor its showing

No symlink protection detected

You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

may i ignore that warning, pls help

In CENTOS 7.4 kvm v68.0.12 uname -r 3.10.0-693.5.2.el7.x86_64 kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017 kpatch-build-time: Tue Oct 24 22:49:09 2017 kpatch-description: 2-free;3.10.0-693.5.2.el7 But in security advisor its showing No symlink protection detected You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs. may i ignore that warning, pls help
Igor Seletskiy on Wednesday, 15 November 2017 15:27

Security advisor doesn't know yet how to detect it. cPanel is working on it. You can ignore the warning.

Security advisor doesn't know yet how to detect it. cPanel is working on it. You can ignore the warning.
Guest - Damjan on Monday, 13 November 2017 15:16

Will this work for OpenVZ containers if installed on host node?

Will this work for OpenVZ containers if installed on host node?
Igor Seletskiy on Wednesday, 15 November 2017 15:26
Guest - Faheem on Wednesday, 15 November 2017 14:06

There is no sysctl.conf file in /etc/sysconfig/kcare/
I'm using KernelCare with license

There is no sysctl.conf file in /etc/sysconfig/kcare/ I'm using KernelCare with license
Guest - s on Wednesday, 15 November 2017 15:03

just create manually and add required text

we've done this on one server but didn't do the others as there's nothing to say it's actually working until cpanel stop saying in security advisor that there is no symlink protection, I know cloudlinux are in discussions with them about this.

just create manually and add required text we've done this on one server but didn't do the others as there's nothing to say it's actually working until cpanel stop saying in security advisor that there is no symlink protection, I know cloudlinux are in discussions with them about this.
Guest - Fabian Marsiglione on Wednesday, 15 November 2017 15:13

Hello IGor,

This is necessary for all CL installations?
In my servers, without do this i get this in the security advisor from WHM :

"Apache Symlink Protection: CloudLinux protections are in effect.
You appear to have sufficient protections from Apache Symlink Attacks. If you have not already, consider increasing protection with CageFS. For further information on symlink attack protection see our suggestions on it."

AND THIS :

"Apache Symlink Protection: Cloudlinux CageFS protections are in effect
You are running CageFS. This provides filesystem level protections for your users and server."

AND FINALLY THIS : (ALL IN GREEN)

"The system kernel is up-to-date at version “2.6.32-673.26.1.lve1.4.30.el6.x86_64”."

It´s ok or is better to apply this patch too?
Regards
Fabian

Hello IGor, This is necessary for all CL installations? In my servers, without do this i get this in the security advisor from WHM : "Apache Symlink Protection: CloudLinux protections are in effect. You appear to have sufficient protections from Apache Symlink Attacks. If you have not already, consider increasing protection with CageFS. For further information on symlink attack protection see our suggestions on it." AND THIS : "Apache Symlink Protection: Cloudlinux CageFS protections are in effect You are running CageFS. This provides filesystem level protections for your users and server." AND FINALLY THIS : (ALL IN GREEN) "The system kernel is up-to-date at version “2.6.32-673.26.1.lve1.4.30.el6.x86_64”." It´s ok or is better to apply this patch too? Regards Fabian
Igor Seletskiy on Wednesday, 15 November 2017 15:25

You don't need it on CloudLinux servers (CloudLinux has it built in). It is for CentOS servers only.

You don't need it on CloudLinux servers (CloudLinux has it built in). It is for CentOS servers only.
Guest - has on Wednesday, 15 November 2017 15:23

Hi
Can install and use with DirectAdmin on CentOS 7 ?
How to uninstall if needed ?
Thanks

Hi Can install and use with DirectAdmin on CentOS 7 ? How to uninstall if needed ? Thanks
Igor Seletskiy on Wednesday, 15 November 2017 15:26

Yes, you can.
yum remove kernelcare

will uninstall it

Yes, you can. yum remove kernelcare will uninstall it
Guest - has on Friday, 12 January 2018 18:36

also if i try to uninstall, i have to run extra command to undo the:

Execute:
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

also if i try to uninstall, i have to run extra command to undo the: [quote]Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=48[/quote]
Guest - Flavio on Wednesday, 15 November 2017 22:51

Hello,

i have a VPS with CENTOS 7.4 and Cpanel 68.0.13 installed.

I want to install the Apache mod_http2 along with mod_mpm_event, but i can't because mod_http2 it's not compatible with mod_mpm_prefork and mod_ruid2 with "Jail Apache Virtual Hosts using mod_ruid2 and cPanel jailshell" tweak setting enabled

I have a doubt. Before to install the free Symlink Protection patch, i have to uninstall the Apache mod_ruid2 and disabled the tweak setting, or it's not necessary? Can i do that after installing the patch?

Thanks in advance

Hello, i have a VPS with CENTOS 7.4 and Cpanel 68.0.13 installed. I want to install the Apache mod_http2 along with mod_mpm_event, but i can't because mod_http2 it's not compatible with mod_mpm_prefork and mod_ruid2 with "Jail Apache Virtual Hosts using mod_ruid2 and cPanel jailshell" tweak setting enabled I have a doubt. Before to install the free Symlink Protection patch, i have to uninstall the Apache mod_ruid2 and disabled the tweak setting, or it's not necessary? Can i do that after installing the patch? Thanks in advance :)
Guest - Irina on Thursday, 16 November 2017 13:51

Hello!

Free symlink protection (kernel level) does not interfere with mod_ruid2 (apache level). So you should not need to disable the patch.

Regards,

Hello! Free symlink protection (kernel level) does not interfere with mod_ruid2 (apache level). So you should not need to disable the patch. Regards,
Guest - Flavio on Thursday, 16 November 2017 22:07

Hello Irina,

i have tried to install the patch, this is the output after i launched "curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash"

Installing : kernelcare-2.13-2.x86_64 1/1
pyOpenSSL module is not found. To be able to validate SSL certificates of hosts with SNI support please, install pyOpenSSL >= 0.13
Requesting trial license for 95.141.33.79, please wait...
HTTP Error 403: Forbidden, Retrying in 3 seconds...
Requesting trial license for 95.141.33.79, please wait...
HTTP Error 403: Forbidden, Retrying in 6 seconds...
!!!! /etc/yum/universal-hooks/posttrans/cp_clear_packman_cache is not executable
Verifying : kernelcare-2.13-2.x86_64 1/1

Installed:
kernelcare.x86_64 0:2.13-2

But when i launch the command "kcarectl --set-patch-type free --update" i got this

'free' patch type is unavailable for current kernel

My kernel version is 3.10.0-693.2.2.el7.centos.plus.x86_64

What should I do?

Hello Irina, i have tried to install the patch, this is the output after i launched "curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash" Installing : kernelcare-2.13-2.x86_64 1/1 pyOpenSSL module is not found. To be able to validate SSL certificates of hosts with SNI support please, install pyOpenSSL >= 0.13 Requesting trial license for 95.141.33.79, please wait... HTTP Error 403: Forbidden, Retrying in 3 seconds... Requesting trial license for 95.141.33.79, please wait... HTTP Error 403: Forbidden, Retrying in 6 seconds... !!!! /etc/yum/universal-hooks/posttrans/cp_clear_packman_cache is not executable Verifying : kernelcare-2.13-2.x86_64 1/1 Installed: kernelcare.x86_64 0:2.13-2 But when i launch the command "kcarectl --set-patch-type free --update" i got this 'free' patch type is unavailable for current kernel My kernel version is 3.10.0-693.2.2.el7.centos.plus.x86_64 What should I do?
Guest - Irina on Friday, 17 November 2017 11:55

Hi!

You are using CentOS Plus kernel, we support only CentOS 6/7 for the Free/Extra patchset.

Hi! You are using CentOS Plus kernel, we support only CentOS 6/7 for the Free/Extra patchset.
Guest - Mustafa on Tuesday, 12 December 2017 22:15

Hello

For Cpanel + Litespeed web server

fs.symlinkown_gid=48
Or
fs.symlinkown_gid=48

Required?

Hello For Cpanel + Litespeed web server fs.symlinkown_gid=48 Or fs.symlinkown_gid=48 Required?
Guest - Mustafa on Tuesday, 12 December 2017 22:15

Or
fs.symlinkown_gid=99
?

Or fs.symlinkown_gid=99 ?
Igor Seletskiy on Wednesday, 13 December 2017 01:29

For cPanel, you need fs.symlinkown_gid=99

For cPanel, you need fs.symlinkown_gid=99
Guest - has on Tuesday, 12 December 2017 23:03

Is there a way to do live test to find out your patch is on or not?
I mean from SSH or from user host account?
Regards

Is there a way to do live test to find out your patch is on or not? I mean from SSH or from user host account? Regards
Already Registered? Login Here
Guest
Monday, 01 June 2020

Captcha Image