Kernel Symlink Protection Patch for CentOS 7

By
Brijendra Sial
-
0
2729

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn’t require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:

'free' patch type selected
Downloading updates
Patch level 3 applied. Effective kernel version
Updates already downloaded
Kernel is safe


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn’t exist) – add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Check the patched information using the below command

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-1062.18.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue Mar 17 23:49:17 UTC 2020
kpatch-build-time: Fri Apr 10 15:22:19 2020
kpatch-description: 3-free:1587577957;

Get patched information using the below command

kcarectl  --patch-info
OS: centos7
kernel: kernel-3.10.0-1062.18.1.el7
time: 2020-04-13 12:43:41



kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7