CloudLinux - CloudLinux Blog - The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare
RSS

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn't exist) - add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Beta: EasyApache 4 updated
Beta: LVE Manager updated
 

Комментарии 95

Although I inserted the two lines:

fs.enforce_symlinksifowner=1
fs.symlinkown_gid=99


in "/etc/sysctl.conf" (the file "/etc/sysconfig/kcare/sysctl.conf" does not exist), I have to run again the commands:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99


after every server reboot, because I get this message:

Kernel symlink protection is not enabled for CentOS 6.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.


I also get the message:

The system kernel is at version “”, but is set to boot to version “2.6.32-696.20.1.el6.x86_64”.
You must take one of the following actions to ensure the system is up-to-date:
Wait a few days for KernelCare to publish a kernel patch.
Reboot the system.


Any ideas how to fix that?

Although I inserted the two lines: [b]fs.enforce_symlinksifowner=1 fs.symlinkown_gid=99[/b] in [b]"/etc/sysctl.conf"[/b] (the file [b]"/etc/sysconfig/kcare/sysctl.conf"[/b] does not exist), I have to run again the commands: [b]sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99[/b] after every server reboot, because I get this message: [b]Kernel symlink protection is not enabled for CentOS 6. You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protect beyond those solutions employed in userland. Please review the following documentation to learn how to apply this protection.[/b] I also get the message: [b]The system kernel is at version “”, but is set to boot to version “2.6.32-696.20.1.el6.x86_64”. You must take one of the following actions to ensure the system is up-to-date: Wait a few days for KernelCare to publish a kernel patch. Reboot the system.[/b] Any ideas how to fix that?

Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.

Please, submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can help you with the issue.

Once I follow these instructions on stock Centos 7 / Cpanel, I get

[ 51.516022] kcare: loading out-of-tree module taints kernel.
[ 51.516083] kcare: module verification failed: signature and/or required key missing - tainting kernel

other than that it claims to have been succesful

[ 55.296569] kpatch: successfully applied 70 hunks to 'vmlinux'

So is this safe to use?

I submitted a ticket too ..

Once I follow these instructions on stock Centos 7 / Cpanel, I get [ 51.516022] kcare: loading out-of-tree module taints kernel. [ 51.516083] kcare: module verification failed: signature and/or required key missing - tainting kernel other than that it claims to have been succesful [ 55.296569] kpatch: successfully applied 70 hunks to 'vmlinux' So is this safe to use? I submitted a ticket too ..

You can safely ignore those messages - KernelCare is working properly

You can safely ignore those messages - KernelCare is working properly

i install this patch in my vps with running plesk and this error appears

[[email protected] ~]# kcarectl --set-patch-type free --update
'free' patch type is unavailable for current kernel
[[email protected] ~]# uname -a
Linux vpsXXXXXX.vps.ovh.ca 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]# kcarectl --info
No patches applied, but some are available, run 'kcarectl --update'.
[[email protected] ~]# kcarectl --update
Downloading updates
The IP 139.99.XXX.YYY was already used for trialing on 2018-02-05

i install this patch in my vps with running plesk and this error appears [[email protected] ~]# kcarectl --set-patch-type free --update 'free' patch type is unavailable for current kernel [[email protected] ~]# uname -a Linux vpsXXXXXX.vps.ovh.ca 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [[email protected] ~]# kcarectl --info No patches applied, but some are available, run 'kcarectl --update'. [[email protected] ~]# kcarectl --update Downloading updates The IP 139.99.XXX.YYY was already used for trialing on 2018-02-05

Hello! Please note, that there are no patches for 3.10.0-693.21.1.el7.x86_64 ,
The ETA - tomorrow.

Hello! Please note, that there are no patches for 3.10.0-693.21.1.el7.x86_64 , The ETA - tomorrow.

I would like to make sure: does it work without a control panel such as cPanel or DirectAdmin? Just a linux server with only Apache httpd?

I would like to make sure: does it work without a control panel such as cPanel or DirectAdmin? Just a linux server with only Apache httpd?

Just a CentOS server - nothing more is required

Just a CentOS server - nothing more is required

Not working on Centos 6 (64Bit)

[email protected][~]# uname -a
Linux server.mydomain.com 2.6.32-696.28.1.el6.x86_64 #1 SMP Wed May 9 23:09:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[email protected] [~]# kcarectl --set-patch-type free --update
Unknown Kernel (CentOS 2.6.32-696.28.1.el6.x86_64)

Not working on Centos 6 (64Bit) [email protected][~]# uname -a Linux server.mydomain.com 2.6.32-696.28.1.el6.x86_64 #1 SMP Wed May 9 23:09:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [email protected] [~]# kcarectl --set-patch-type free --update Unknown Kernel (CentOS 2.6.32-696.28.1.el6.x86_64)

It usually takes a few days for a fresh kernel to become supported by KernelCare

It usually takes a few days for a fresh kernel to become supported by KernelCare

kcarectl --info
Unknown kernel (CentOS 2.6.32-754.el6.x86_64), no patches available

This is what I'm getting.

kcarectl --info Unknown kernel (CentOS 2.6.32-754.el6.x86_64), no patches available This is what I'm getting.

Hi Nagib,

We have added support for this kernel recently

Hi Nagib, We have added support for this kernel recently

[email protected] ~]# kcarectl --set-patch-type free --update
'free' patch type is unavailable for current kernel
[[email protected] ~]#


Kernel 3.10.0-862.6.3.el7.x86_64

[email protected] ~]# kcarectl --set-patch-type free --update 'free' patch type is unavailable for current kernel [[email protected] ~]# Kernel 3.10.0-862.6.3.el7.x86_64

Error on CentOS 7 x64 :

[[email protected] ~]# kcarectl --set-patch-type free --update
'free' patch type is unavailable for current kernel

Error on CentOS 7 x64 : [[email protected] ~]# kcarectl --set-patch-type free --update [b]'free' patch type is unavailable for current kernel[/b]

Hello,

I have RHEL 7

[[email protected] ~]# kcarectl --set-patch-type free --update
'free' patch type is unavailable for current kernel

kernel 3.10.0-862.9.1.el7.x86_64

[[email protected] kcare]# kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-862.9.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Wed Jun 27 04:30:39 EDT 2018
kpatch-build-time: Tue Jul 17 22:40:29 2018
kpatch-description: 2-;3.10.0-862.9.1.el7

I would like to know, is free patch installed or trial Extra Patch from KernelCare??

Thanks in advance :-)

Hello, I have RHEL 7 [[email protected] ~]# kcarectl --set-patch-type free --update 'free' patch type is unavailable for current kernel kernel 3.10.0-862.9.1.el7.x86_64 [[email protected] kcare]# kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-862.9.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Wed Jun 27 04:30:39 EDT 2018 kpatch-build-time: Tue Jul 17 22:40:29 2018 kpatch-description: 2-;3.10.0-862.9.1.el7 I would like to know, is free patch installed or trial Extra Patch from KernelCare?? Thanks in advance :-)

Hello,

Just one info:

I have manually cretaed sysctl.conf file and add this:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48

I have ran
[[email protected] kcare]# sysctl -w fs.enforce_symlinksifowner=1
sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner:There is no this file

Could you help me?

Best regards,
Elizabeta

Hello, Just one info: I have manually cretaed sysctl.conf file and add this: fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 48 I have ran [[email protected] kcare]# sysctl -w fs.enforce_symlinksifowner=1 sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner:There is no this file Could you help me? Best regards, Elizabeta

Hello,

Thank you Irina for your explanation.

Best regards,
Elizabeta

Hello, Thank you Irina for your explanation. Best regards, Elizabeta

Hello, this didnt work for me, please see below:

[[email protected] ~]# kcarectl --set-patch-type free
Unknown Kernel (CentOS Linux 3.10.0-862.11.6.el7.x86_64)

[[email protected] ~]# kcarectl --info
Unknown kernel (CentOS Linux 3.10.0-862.11.6.el7.x86_64), no patches available

Hello, this didnt work for me, please see below: [[email protected] ~]# kcarectl --set-patch-type free Unknown Kernel (CentOS Linux 3.10.0-862.11.6.el7.x86_64) [[email protected] ~]# kcarectl --info Unknown kernel (CentOS Linux 3.10.0-862.11.6.el7.x86_64), no patches available

We are going to release KernelCare patches for 3.10.0-862.11.6.el7.x86_64 tomorrow.

We are going to release KernelCare patches for 3.10.0-862.11.6.el7.x86_64 tomorrow.

We have one VPS which is virtualized with OPenVZ technology.
We were informed its supported on KVM only.
If its true that its not supported, how can we uninstall what we installed so far?

We have one VPS which is virtualized with OPenVZ technology. We were informed its supported on KVM only. If its true that its not supported, how can we uninstall what we installed so far?
Уже зарегистрированны? Войти на сайт
Guest
26.05.2020

Изображение капчи