CloudLinux - CloudLinux Blog - The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare
RSS

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

A few weeks ago we released the KernelCare "Extra" Patchset with the security fixes and the symlink protection available to all KernelCare customers running CentOS kernels. Today we are pleased to share that you can get the Symlink Protection Patchset for CentOS 6 and 7 at no cost, even if you don’t have licenses of KernelCare.

We’ve been discussing with the cPanel team on how to help with hardening of their customers' system kernels. This Symlink Protection Patchset will protect CentOS 6 and 7 systems and will help defend shared hosting servers, including the cPanel servers, against symlink attacks.

A symlink race attack is frequently used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to others. This patchset helps protect against such attacks.

Note that this patchset includes only the symlink protection, and does not include the security fixes (those are available to KernelCare customers) - you will still need to update kernel and REBOOT each time new CentOS kernel is released to keep your kernel secure.

We recommend the installation of this patchset on CentOS 6 and CentOS 7 to make your servers more secure.

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn't require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:


OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn't exist) - add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Click here to learn more about KernelCare.
 

Beta: EasyApache 4 updated
Beta: LVE Manager updated
 

Комментарии 95

Only OpneVZ 6 nodes (not containers) are supported by KernelCare.

Only OpneVZ 6 nodes (not containers) are supported by KernelCare.

After following these instructions, I now have this in the sysctl.conf file:

ymlinksifowner = 1
fs.symlinkown_gid = 4
s.enfcrce_symlinksifowner=1
fs.symlinkown_gid=99

Is this correct?

After following these instructions, I now have this in the sysctl.conf file: ymlinksifowner = 1 fs.symlinkown_gid = 4 s.enfcrce_symlinksifowner=1 fs.symlinkown_gid=99 Is this correct?

Luke, adding only the following two would be enough:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

Luke, adding only the following two would be enough: fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99

Hi after ran curl:

[[email protected] proc]# kcarectl --set-patch-type free --update
[Errno 2] No such file or directory: '/proc/modules'
[[email protected] proc]# uname -a
Linux server 4.9.120-xxxx-std-ipv6-64 #327490 SMP Thu Aug 16 10:11:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Hi after ran curl: [[email protected] proc]# kcarectl --set-patch-type free --update [Errno 2] No such file or directory: '/proc/modules' [[email protected] proc]# uname -a Linux server 4.9.120-xxxx-std-ipv6-64 #327490 SMP Thu Aug 16 10:11:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Mau, this kernel is not supported. Only CentOS 6/7 kernels are supported with free patches.

Mau, this kernel is not supported. Only CentOS 6/7 kernels are supported with free patches.

Is AWS linux supported as it's very similar to CentOS 6?

Is AWS linux supported as it's very similar to CentOS 6?

Hello,
This kernel is not supported.
Please let us know if you have any questions.
Thanks in advance!

Hello, This kernel is not supported. Please let us know if you have any questions. Thanks in advance!

I've been seeing this error every four hours for the last few days.

"The `free` type patch is not found for your kernel. Please select existing patch type"

I've been seeing this error every four hours for the last few days. "The `free` type patch is not found for your kernel. Please select existing patch type"

Hello Michael!
We fixed this problem for ourselves, you need to do:
kcarectl --update
If you have any other questions, feel free to ask here. Thank you for contacting us.

Hello Michael! We fixed this problem for ourselves, you need to do: kcarectl --update If you have any other questions, feel free to ask here. Thank you for contacting us.

Hello cloudlinux team;

centos 7.7 os, when will the symlink patch be released for kernel 3.10.0-1062.1.1.el7?

Hello cloudlinux team; centos 7.7 os, when will the symlink patch be released for kernel 3.10.0-1062.1.1.el7?

Hello Michael,
Thank you for reaching out! We are working on this issue. We plan to release the patch at the end of the next week.

Hello Michael, Thank you for reaching out! We are working on this issue. We plan to release the patch at the end of the next week.

Hello

What True GID for Directadmin?

fs.symlinkown_gid =

99 for Cpanel.
48 for Directadmin?

Hello What True GID for Directadmin? fs.symlinkown_gid = 99 for Cpanel. 48 for Directadmin?

Hello Mustafa,
It depends on which gid y apache/nobody.
For сPanel:
[root @ cl7cpea4test ~] # sysctl fs.symlinkown_gid
fs.symlinkown_gid = 99
[root @ cl7cpea4test ~] # grep ": 99:" / etc / group
nobody: x: 99:

For DirectAdmin:
[[email protected] ~]# grep apache /etc/group
apache:x:1000:
[[email protected] ~]# sysctl fs.symlinkown_gid
fs.symlinkown_gid = 1000

Hello Mustafa, It depends on which gid y apache/nobody. For сPanel: [root @ cl7cpea4test ~] # sysctl fs.symlinkown_gid fs.symlinkown_gid = 99 [root @ cl7cpea4test ~] # grep ": 99:" / etc / group nobody: x: 99: For DirectAdmin: [[email protected] ~]# grep apache /etc/group apache:x:1000: [[email protected] ~]# sysctl fs.symlinkown_gid fs.symlinkown_gid = 1000

One more note, CentOS 7.8 kernel 3.10.0-1127.el7.x86_64 are not supported Add KernelCare's Free Symlink Protection.

One more note, CentOS 7.8 kernel 3.10.0-1127.el7.x86_64 are not supported Add KernelCare's Free Symlink Protection.

Hello,
Thank you for the information! We will definitely verify this, and if CentOS 7.8 kernel 3.10.0-1127.el7.x86_64 are no supported, we will add for this kernel within 5 working days. Thank you.

Hello, Thank you for the information! We will definitely verify this, and if CentOS 7.8 kernel 3.10.0-1127.el7.x86_64 are no supported, we will add for this kernel within 5 working days. Thank you.
Уже зарегистрированны? Войти на сайт
Guest
05.06.2020

Изображение капчи