No symlink protection detected on cPanel Server

If you are using cPanel on CentOS 6 or CentOS 7 server, you may see the following security advisory:

No symlink protection detected
You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

Default Kernel shipped with CentOS 6 and CentOS 7 does not provide symlink race condition protection on the server. This is major security risk if the server is being used for shared hosting server. So far the solution was to use CloudLinux with CageFS or you have to use third party Kernel which can provide you protection against Symlink Race condition.

Now CloudLinux provides free patchset to get protection against Symlink race condition. This patchset can be used on CentOS 6 and CentOS 7. You do not require CloudLinux or Kernelcare to get this patchset. It is now available free for all CentOs 6 and CentOS 7 users.

cPanel Symlink protection patchset by cloudLinux

How to install the free symlink protection patchset:

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn’t require a license

kcarectl –set-patch-type free –update

The ‘free’ patch will be applied on the next update.

During the installation, you should see something similar to:

OS: CentOS6

kernel: kernel-2.6.32-696.el6

time: 2017-06-22 16:13:40

uname: 2.6.32-642.15.1.el6

kpatch-name: 2.6.32/symlink-protection.patch

kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.

kpatch-kernel: kernel-2.6.32-279.2.1.el6

kpatch-cve: N/A

kpatch-cvss: N/A

kpatch-cve-url: N/A

kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch

kpatch-description: symlink protection (kpatch adaptation)

kpatch-kernel: kernel-2.6.32-279.2.1.el6

kpatch-cve: N/A

kpatch-cvss: N/A

kpatch-cve-url: N/A

kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

Many users reported that /etc/sysconfig/kcare/sysctl.conf file does not exist. The solution is, you will need to create this file manually.

Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

For more information on this, you can read CloudLinux post from the following URL:

https://www.cloudlinux.com/en/kernelcare-blog/entry/symlink-protection-patchset-centos-6-7-kernelcare

If you are looking for additional server security, you can go for CloudLinux operating system. You can get it just $11.95 / month. For more information on this click here!

Leave a Reply