Skip to main content

Full Kernelcare Product and prevention of symlink ownership attacks

Comments

27 comments

  • rscalover

    it is always the same crap after every kernel update that symlink protection patch no longer works and it always takes ages before there is a new patch.

    it either says "'extra' patch type is unavailable for your kernel" or "No updates are needed for this kernel kernel is safe" but that is a lie !!!!

    Cloudlinux get your act together and .....

    2
  • cPRex Jurassic Moderator

    Hey there! I reached out to KernelCare directly about this since I'm also getting some odd results when I test with AlmaLinux 9, but I haven't heard back from them yet.  I'll be sure to reply as son as I hear something!

    1
  • cPRex Jurassic Moderator

    You shouldn't need to use the free patch when you're a paid customer.

    I still haven't heard back from KernelCare about this issue.

    1
  • filoucp

    cPRex I did a few months ago but the conclusion was that the message in the security advisor (Kernel does not support the prevention of symlink ownership attacks.) is probably a false report and that my server "should" be secure.

    1
  • Andrew

    I think the reason for this is that under extra patchset no patched kernel is available yet for this type of OS however the symlink protection is also available under the free one which might work in your case so can you give this a try:

    kcarectl –set-patch-type free –update

    then follow the instructions above.

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!*
    EmergencySupport - Professional Server Management and One-time Services

    0
  • EneTar

     # kcarectl --set-patch-type free --update
    'free' patch type is unavailable for your kernel

    0
  • cPRex Jurassic Moderator

    I just heard back from KernelCare and they aren't aware of this issue on their end.  Could you submit a ticket and then we can get it escalated to KernelCare for you?

    0
  • EneTar

    I guess I can do that, does the ticket require access to my server?

    0
  • cPRex Jurassic Moderator

    Yes, they would require access to troubleshoot this behavior.

    0
  • AmedeoSca

    I have the same problem... no news?

     

    0
  • cPRex Jurassic Moderator

    AmedeoSca - I don't see any additional details on my end for this problem, so it would likely be best to submit a ticket.

    0
  • EneTar

    cPRex what does kernelcare report on your almalinux 9 box, does it still have issues?

    0
  • cPRex Jurassic Moderator

    So far we haven't been able to reproduce this - could someone in this thread submit a ticket and then we can escalate it to KernelCare directly?

    0
  • AmedeoSca

    From here seems that the latest kernel havo no patch....

    https://patches.kernelcare.com/?search=&distro=almalinux9-arm64&type=kernel 

    0
  • ThomasT

    I opened a ticket with kernelcare. It seems that Kernelcare symlink protection doesn't exist for Almalinux 9 yet: 

    "We clarified with developers and informing you that Almalinux 9 patch for symlink protection is yet to be implemented and, unfortunately, we cannot yet say when it will be done."

    If I ever notice that it works as intended I will update this thread. If you notice earlier than me feel free to update this thread as well. For the time being Kernelcare doesn't provide symlink protection for Almalinux 9 

    0
  • cPRex Jurassic Moderator

    Thanks for sharing!

    0
  • DaveA

    We're seeing the same issue with Almalinux8.9 Kernel 4.18.0-513.18.2.el8_9.x86_64

    Kernel is not listed on compatibility list. 

    Ticket submitted with Cloudlinux

    0
  • cPRex Jurassic Moderator

    Let us know what they say!

    0
  • DaveA

    They came back with the following:-

    "4.18.0-513.18.2.el8_9.x86_64" is not yet supported by us, and the "extra" patch

    The first set of patches for this kernel should be released in the next few weeks. We just need to double-check that the symlink parameters are already configured, for example:

    cat /etc/sysconfig/kcare/sysctl.conf
    fs.enforce_symlinksifowner=1
    0
  • cPRex Jurassic Moderator

    That's often the case if the kernel is brand new - it takes a bit of dev time for them to get it added to their tools.

    0
  • DaveA

    Can confirm this morning Cloudlinux have already patched the kernel.

    Extra patch set and symlink protection can now be enabled.

    0
  • cPRex Jurassic Moderator

    Nice - that was quick!

    0
  • AmedeoSca

    kcarectl --set-patch-type extra --update
    'extra' patch type is unavailable for your kernel

    0
  • cPRex Jurassic Moderator

    AmedeoSca - it's possible it just isn't available for your kernel because it's not supported or because it is too new.

    0
  • filoucp

    I've got the same problem with Rocky linux 9,   Kernel does not support the prevention of symlink ownership attacks. for months with the paid KernelCare.

    0
  • cPRex Jurassic Moderator

    filoucp - if it's been happening for months, it's time to make a ticket.

    0

Please sign in to leave a comment.