Kernel symlink ownership attacks, while Jailshell & mod_ruid2 enabled
After updating to WHM 60.15 and EasyApache 4 I noticed this on security advisor
Kernel does not support the prevention of symlink ownership attacks.
I'm running this system with PHP-FPM. I also have jailed apache enabled and mod_ruid2 /etc/redhat-release:CentOS release 6.8 (Final) /usr/local/cpanel/version:11.60.0.15 /var/cpanel/envtype:kvm CPANEL=release Server version: Apache/2.4.23 (cPanel) Server built: Oct 13 2016 19:47:28 ea-php-cli Copyright 2016 cPanel, Inc. PHP 7.0.12 (cli) (built: Oct 18 2016 20:12:13) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.12, Copyright (c) 1999-2016, by Zend Technologies mysql Ver 15.1 Distrib 10.1.18-MariaDB, for Linux (x86_64) using readline 5.1
Please see the attaches screenshot. I have read this Symlink Race Condition Protection - EasyApache - cPanel Documentation but I'm not sure what else to do as i have already enabled mod_ruid + jailshell Is the above warning a false positive? Or should I do something else? Do I have to do something like this? How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation
I'm running this system with PHP-FPM. I also have jailed apache enabled and mod_ruid2 /etc/redhat-release:CentOS release 6.8 (Final) /usr/local/cpanel/version:11.60.0.15 /var/cpanel/envtype:kvm CPANEL=release Server version: Apache/2.4.23 (cPanel) Server built: Oct 13 2016 19:47:28 ea-php-cli Copyright 2016 cPanel, Inc. PHP 7.0.12 (cli) (built: Oct 18 2016 20:12:13) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.12, Copyright (c) 1999-2016, by Zend Technologies mysql Ver 15.1 Distrib 10.1.18-MariaDB, for Linux (x86_64) using readline 5.1
Please see the attaches screenshot. I have read this Symlink Race Condition Protection - EasyApache - cPanel Documentation but I'm not sure what else to do as i have already enabled mod_ruid + jailshell Is the above warning a false positive? Or should I do something else? Do I have to do something like this? How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation
-
Just researching this ATM. I found a new option in the apache3 exhaustive options list called "Symlink Race Condition Protection". Im guessing thats the solution but I received a warning about performance when I selected it so personally Im still looking for more info on this. 0 -
Disregard my previous comment. Im still in the dark with this one. I have run ruid2+jailshell for some time... the security advisor message only appeared after upgrading to v60build 15. If I understand this properly applying the symlink patch is considered a seperate last resort solution. Ruid2+jailshell is one of the prefferred solutions. This post might help anyone looking: New security advisor for symlink ownership attacks 0 -
So it seems that I have to replace the CentOS 6 kernel with that of cpanel. Are there any disadvantages on this one? I really would appreciate an official answer from Cpanel. Does the cpanel version kernel receives updates and is it safe regarding other security and performance issues. Noob question: What will happen if I disable FollowSymLinks and enable only SymLinksIfOwnerMatch? Is this an alternative? 0 -
Hello, The warning message in SecurityAdvisor is noting that you have no kernel-level symlink protection enabled on your system. You can find the existing options for kernel-level symlink protection at: Symlink Race Condition Protection - EasyApache - cPanel Documentation: In addition to the two solutions listed on that document, cPanel patched kernel is another solution that offers kernel-level symlink protection: How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation A greater level of protection is offered when using a patched kernel as opposed to patching Apache only. Thank you. 0 -
Hi Michael and thank you for your answer but I have already read (and posted above) both of these articles and I still have concerns: 1)Do we need the kernel patch if we have already have mod_ruid + jailshell enabled? What's the difference? 2)Does the cPanel kernel replace the default one or is it just a patch to the default one? 3)If it is a new kernel is it maintained and receives updates through the repo? Thank you for your time 0 -
Hello, )Do we need the kernel patch if we have already have mod_ruid + jailshell enabled? What's the difference?
It's not required, but kernel-level protection or CageFS from CloudLinux are solutions that offer greater level of security. Also, using Apache-level patches (e.g. the BlueHost patch) can slow the performance of the server. To note, our documentation team is working on a new document that specifies the various options available to you on EasyApache 4.)Does the cPanel kernel replace the default one or is it just a patch to the default one?
It replaces the default kernel on your system, however note it's essentially the CentOS kernel patched to protect against symlink attacks.)If it is a new kernel is it maintained and receives updates through the repo?
Yes, it's maintained and updated in a similar fashion to the stock kernel. Thank you.0
Please sign in to leave a comment.
Comments
7 comments