Home CentOS CentOS 7 Kernel Symlink Protection Patch for CentOS 7

Kernel Symlink Protection Patch for CentOS 7

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn’t require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:

'free' patch type selected
Downloading updates
Patch level 3 applied. Effective kernel version
Updates already downloaded
Kernel is safe


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn’t exist) – add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Check the patched information using the below command

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-1062.18.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue Mar 17 23:49:17 UTC 2020
kpatch-build-time: Fri Apr 10 15:22:19 2020
kpatch-description: 3-free:1587577957;

Get patched information using the below command

kcarectl  --patch-info
OS: centos7
kernel: kernel-3.10.0-1062.18.1.el7
time: 2020-04-13 12:43:41



kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

Must Read

Routing Domain Name in Haproxy

I hope you are following the below guide. Now suppose you want to route domain name to open specific backend that have...

Enable Logging in Haproxy

HAProxy can emit log message for processing by a syslog server. This is compatible with familiar syslog tools like Rsyslog, as well...

Getting real IP in Nginx when behind cloudflare Haproxy

Create a file named cloudflare_ips.ls and in that add all the cloudflare IP's vi /etc/haproxy/cloudflare_ips.ls 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32

Getting Real IP in HaproxyNginx configuration

Well its a little configuration can get real to nginx when haproxy is set as reverse proxy. Follow this...

Haproxy as Single Point to Failure Node With Glusterfs and MariaDB Maxscale Cluster

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It...