cPanel Security Advisor Issue
OS: Centos 7
Kernel: OVH kernel 3.14.32-xxxx-grs-ipv6-64
cPanel Security Advisor
Apache Symlink Protection: Grsecurity sysctl valuesIt seems that your sysctl keys, enforce_symlinksifowner, and symlinkown_gid, may not be configured correctly for a cPanel server. Typically, enforce_symlinksifowner is set to 1, and symlinkown_gid is set to 99 on a cPanel server. For further information, see the Grsecurity Documentation.
-
Below thread will guide you Apache Symlink Protection Advisor 0 -
not work... i followed guide. fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 added to /etc/sysctl.conf this is results of sysctl -p: sysctl: cannot stat /proc/sys/fs/enforce_symlinksifowner: No such file or directory sysctl: cannot stat /proc/sys/fs/symlinkown_gid: No such file or directory 0 -
It was for cloulinux based as there are several options for symlink patch, please revert, since you installed gr security patch just enable the settings as mentioned in the advisor just do a sysctl -a | egrep 'symlinksifowner|symlinkown' Will identify the right values reboot is required . 0 -
sorry but that didnt help... :( ... is it possible to remove/delete/disable this warning or to uninstall that patch? 0 -
Hello, Please post the output from the following commands: cat /usr/local/cpanel/version sysctl -n kernel.grsecurity.symlinkown_gid sysctl -n kernel.grsecurity.enforce_symlinksifowner
Thank you.0 -
[root@server ~]# cat /usr/local/cpanel/version 11.62.0.16 [root@server ~]# sysctl -n kernel.grsecurity.symlinkown_gid sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory [root@server ~]# sysctl -n kernel.grsecurity.enforce_symlinksifowner sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory [root@server ~]# 0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Support Request ID is: 8292381 0 -
Hello, Per the ticket, it looks like you were advised to seek out the support from your provider regarding the configuration of your kernel. Could you update us on the outcome of how that went? Thank you. 0 -
From: OVH Support Hello, Thank you for contacting OVH regarding your custom configuration. This issue is pretty well know by cpanel and you will able able to find solutions on internet or internet forums. I found some information that can help as an start in the cpanel website her e is the link for that: Apache Symlink Protection Advisor 0 -
Hello, That thread links to: CloudLinux Documentation Were you able to follow the steps in that document, as advised by your provider, to see if the issue persists? Thank you. 0 -
yes...we follow all steps... whatever we done problem is still present... Your support said that the problem is with OVH custom kernel, and OVH support said that the problem is with CPanel. 0 -
Hello, Could you respond to your provider to let them know that enabling the settings on the provided document did not help? You can have them open a ticket directly with us if they are unable to troubleshoot the issue further. Thank you. 0 -
Answer from OVH: It is my pleasure to assist you to have this issue clarify. In case that you are having problems with the custom kernel from OVH. Our support is completely dedicated to the infrastructure of the service, so we wont be able to provide advised on this. 0 -
Hello, It's possible you have not added to the correct entries to the /etc/sysctl.conf file on the system. Could you let us know the contents of that file? EX: cat /etc/sysctl.conf
The specific entries you need to add are documented at: Grsecurity/Appendix/Grsecurity and PaX Configuration Options - Wikibooks, open books for an open world EX:kernel.grsecurity.enforce_symlinksifowner = 1 kernel.grsecurity.symlinkown_gid = 99
You'd then run the following command:sysctl -p
Thank you.0 -
[root@server ~]# cat /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). # Disable IPv6 autoconf net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 0 kernel.enforce_symlinksifowner = 1 kernel.symlinkown_gid = 99[root@server ~]# 0 -
kernel.enforce_symlinksifowner = 1 kernel.symlinkown_gid = 99
Try replacing these values with:kernel.grsecurity.enforce_symlinksifowner = 1 kernel.grsecurity.symlinkown_gid = 99
Then run the following command:sysctl -p
Thank you.0 -
[root@server ~]# sysctl -p net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 0 sysctl: cannot stat /proc/sys/kernel/grsecurity/enforce_symlinksifowner: No such file or directory sysctl: cannot stat /proc/sys/kernel/grsecurity/symlinkown_gid: No such file or directory [root@server ~]# 0 -
Hello, This is a limitation of the kernel offered by your provider. You may want to contact them to see if it's possible to boot into a stock kernel, or request assistance from additional members of their support team if they are unable to provide you with a reliable answer. Thank you. 0 -
ok...tnx... 0 -
Hello, I have exactly the same problem Do you had a solution to this problem "Boris Horvat"? 0 -
Hello, I have exactly the same problem Do you had a solution to this problem "Boris Horvat"?
I don't see any updates from the user, but here's the latest response regarding this topic if you are facing the same issue: Hello, This is a limitation of the kernel offered by your provider. You may want to contact them to see if it's possible to boot into a stock kernel, or request assistance from additional members of their support team if they are unable to provide you with a reliable answer. Thank you.
I suggest contacting your provider to see if it's possible to boot into a stock kernel if possible. Thank you.0
Please sign in to leave a comment.
Comments
22 comments