Symlink Race Condition Protection

PCZero

• November 30, 2016 17:42

Tonight I went to WHM - Security Center - Security Advisor. The results were all green light except the following. RED - Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review When I look into EasyApache 4 I see that these are the currently installed packages... Current Profile The currently installed packages on the server. Apache 2.4 config config-runtime mod_bwlimited mod_cgi mod_dav mod_dav_fs mod_dav_lock mod_deflate mod_expires mod_headers mod_mpm_prefork mod_proxy mod_proxy_http mod_ruid2 mod_security2 mod_ssl mod_unique_id tools PHP 5.6 libc-client pear php-bcmath php-calendar php-cli php-common php-curl php-devel php-ftp php-gd php-gettext php-iconv php-imap php-mbstring php-mcrypt php-mysqlnd php-pdo php-posix php-sockets php-xml php-zip runtime Others apr apr-util cpanel-tools documentroot libmcrypt modsec-sdbm-util php-cli profiles-cpanel In Tweak Settings the following are enabled. EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. [?] Use cPanel" jailshell by default [?] I have read the discussion at Symlink Race Condition Protection - EasyApache - cPanel Documentation but that is very confusing. Please help me fix this!

• 

  SysSachin

  • December 01, 2016 02:38

  You are using EA4 on your server so you need to enable Symlink Protection options in the WHM >> Service Configuration >> Apache Configuration
  SymlinkProtect On|Off SymlinkProtectRoot /var/www/html
  

  0
• 

  PCZero

  • December 01, 2016 03:15

  Thanks for the response. When I go to WHM >> Service Configuration >> Apache Configuration have several options and I am guessing that the settinsg you reference should be under Global Configuration, however I am not sure where to make the changes. The only reference to SymLinks I see there are the following Directory "/" options ExecCGI default FollowSymLinks default Includes IncludesNOEXEC default Indexes default MultiViews SymLinksIfOwnerMatch default I am old and stupid thus I need the hold my hand instructions please!

  0
• 

  cPanelMichael

  • December 01, 2016 15:40

  Hello @PCZero,

  YELLOW - Apache Symlink Protection: the Bluehost provided Apache patch is in effect. It appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal. Please review Symlink Race Condition Protection

  
  This is likely a false positive, and is discussed on the following thread: Apache Symlink Protection is enabled Additionally, I don't recommend enabling this feature unless it's the only option available on your system. It's documented at: cPanel Documentation - BlueHost Patch

  RED - Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.

  
  This message is suggesting a kernel-level solution, such as the cPanel hardened kernel. The updated link for EasyApache 4 is: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation @SysSachin, that option is actually only recommended as a last resort if additional symlink protection options aren't possible on the system. In addition, the option isn't available in the UI until cPanel version 62. This is discussed at:

  0
• 

  PCZero

  • December 03, 2016 17:49

  Michael I do not like the use of that option either. My issue is that I never enabled it and historically I had and still have ruid2 installed. I am still getting these warnings and errors. I am going to read the documentation you linked to see if that offers help. FYI CloudLinux is NOT an option. I will see if hardening the kernel is available to resolve this. However I am still concerned about getting that second flag. Again I never did anything to install/enable that. Shoudl I be concerned and do I need to uninstall anything?

  0
• 

  PCZero

  • December 03, 2016 17:58

  Michael done. I ran the cpanel kernel hardening and all is well. Both issues are no longer being reported. Thanks!

  0
• 

  cPanelMichael

  • December 05, 2016 19:39

  However I am still concerned about getting that second flag. Again I never did anything to install/enable that. Shoudl I be concerned and do I need to uninstall anything?

  
  Hello, It's not actually enabled by default. That's a false positive and is discussed at: Apache Symlink Protection is enabled Thanks!

  0

Please sign in to leave a comment.