If you are using cPanel on CentOS 6 or CentOS 7 server, you may see the following security advisory:
No symlink protection detected
You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
Default Kernel shipped with CentOS 6 and CentOS 7 does not provide symlink race condition protection on the server. This is major security risk if the server is being used for shared hosting server. So far the solution was to use CloudLinux with CageFS or you have to use third party Kernel which can provide you protection against Symlink Race condition.
Now CloudLinux provides free patchset to get protection against Symlink race condition. This patchset can be used on CentOS 6 and CentOS 7. You do not require CloudLinux or Kernelcare to get this patchset. It is now available free for all CentOs 6 and CentOS 7 users.
How to install the free symlink protection patchset:
To enable the symlink protection, perform the following steps:
First, install KernelCare client:
curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
Enable free patch type, this patch type doesn’t require a license
kcarectl –set-patch-type free –update
The ‘free’ patch will be applied on the next update.
During the installation, you should see something similar to:
OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6
kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99
Many users reported that /etc/sysconfig/kcare/sysctl.conf file does not exist. The solution is, you will need to create this file manually.
Execute:
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
For more information on this, you can read CloudLinux post from the following URL:
If you are looking for additional server security, you can go for CloudLinux operating system. You can get it just $11.95 / month. For more information on this click here!