Home CentOS CentOS 7 Kernel Symlink Protection Patch for CentOS 7

Kernel Symlink Protection Patch for CentOS 7

How to install the free symlink protection patchset:

Below we provide instructions on how to install KernelCare and run this patchset for free. Though this symlink protection patchset is part of KernelCare, it does not require you to purchase a license or even register for the KernelCare free trial (if you choose to purchase a license at a later date, information on how to upgrade will be published in the documentation soon).

To enable the symlink protection, perform the following steps:

First, install KernelCare client:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Enable free patch type, this patch type doesn’t require a license

kcarectl --set-patch-type free --update

The ‘free’ patch will be applied on the next update.

. . .

During the installation, you should see something similar to:

'free' patch type selected
Downloading updates
Patch level 3 applied. Effective kernel version
Updates already downloaded
Kernel is safe


Edit the file /etc/sysconfig/kcare/sysctl.conf (or create it if it doesn’t exist) – add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48


Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48

Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.

Check the patched information using the below command

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-1062.18.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue Mar 17 23:49:17 UTC 2020
kpatch-build-time: Fri Apr 10 15:22:19 2020
kpatch-description: 3-free:1587577957;

Get patched information using the below command

kcarectl  --patch-info
OS: centos7
kernel: kernel-3.10.0-1062.18.1.el7
time: 2020-04-13 12:43:41



kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

Must Read

Installing and Using perf on CentOS 8

perf began as a tool for using the performance counters subsystem in Linux, and has had various enhancements to add tracing capabilities.

How to Install CentOS Web Panel on CentOS 7

CentOS Web Panel – a Free Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers minus...

Installing Cpanel on CentOS 7

cPanel is an internet Linux-based graphical interface (GUI) used as a control panel to simplify server and website administration. cPanel permits you...

Kernel Symlink Protection Patch for CentOS 7

How to install the free symlink protection patchset: Below we provide instructions on how to install KernelCare and...

Using Shutdown Command in Linux

shutdown may be used to halt, power-off or reboot the machine. The first argument may be a time string (which is usually...