Page tree
Skip to end of metadata
Go to start of metadata

Overview

 

This document describes how to install the cPanel hardened kernel update for the Linux® kernel on CentOS 6 servers.

If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect. The cPanel Hardened Kernel update provides Symlink Race Condition Protection.

If you need assistance, contact Technical Support.

Warnings:

  • We deprecated the cPanel-provided hardened kernel update in cPanel & WHM version 68. We strongly recommend that you use the KernelCare "Extra" Patchset from CloudLinux™. For more information about this update, contact CloudLinux.
  • The cPanel-provided kernel update will not work for OpenVZ®,Virtuozzo®, LXC, or other container-based systems.
  • This document only applies to systems installed with CentOS 6 64-bit systems.
  • cPanel & WHM does not automatically update the operating system kernel. Unattended system kernel updates may cause unplanned reboots or system failures.
  • We strongly suggest that only experienced System Administrators perform this process.
  • Do not perform these steps if you are using KernelCare™, KernelSplice or similar technologies.

Harden your system's kernel

To harden your cPanel system's kernel, log in to your server as the root user via SSH and perform the following steps:


 

Retrieve the repository from cPanel

After you log in to your server, run the following commands to download the signed kernel repository from the securedownloads.cpanel.net site. To do this, run the following command:

cd /etc/yum.repos.d/  
wget https://securedownloads.cpanel.net/cPkernel/cPkernel.repo

This command returns output that resembles the following example:

2016-04-22 12:59:10 https://securedownloads.cpanel.net/cPkernel/cPkernel.repo
Resolving securedownloads.cpanel.net... 1.2.3.4
Connecting to securedownloads.cpanel.net|1.2.3.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 221 [text/plain]
Saving to: "cPkernel.repo"
100%[=====================================>] 1,235 --.-K/s in 0s
2016-04-22 12:59:10 (28.8 MB/s) - "cPkernel.repo" saved [1235]

  


 

Update the kernel

After you download the signed kernel repository, update the kernel on your system. To do this, run the following command:

yum -y update kernel

This command returns output that resembles the following example:

Loaded plugins: fastestmirror
Setting up Update Process
Determining fastest mirrors
epel/metalink                                            |  10 kB     00:00
 * base: repos.mia.quadranet.com
 * epel: reflector.westga.edu
 * extras: mirror.5ninesolutions.com
 * updates: mirror.us.oneandone.net
base                                                     | 3.7 kB     00:00
cPkernel                                                 | 2.9 kB     00:00 ...
cPkernel/primary_db                                      | 1.5 MB     00:01
epel                                                     | 4.3 kB     00:00
http://reflector.westga.edu/repos/Fedora-EPEL/6/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml does not match metalink for epel
Trying other mirror.
epel                                                     | 4.3 kB     00:00
epel/primary_db                                          | 5.9 MB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 2.0 MB     00:00
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:2.6.32-642.4.199.cpanel6 will be installed
--> Processing Dependency: kernel-firmware >= 2.6.32-642.4.199.cpanel6 for package: kernel-2.6.32-642.4.199.cpanel6.x86_64
--> Running transaction check
---> Package kernel-firmware.noarch 0:2.6.32-642.4.2.el6 will be updated
---> Package kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch       Version                      Repository    Size
================================================================================
Installing:
 kernel              x86_64     2.6.32-642.4.199.cpanel6     cPkernel      32 M
Updating for dependencies:
 kernel-firmware     x86_64     2.6.32-642.4.199.cpanel6     cPkernel      28 M

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       1 Package(s)

Total download size: 60 M
Downloading Packages:
(1/2): kernel-2.6.32-642.4.199.cpanel6.x86_64.rpm        |  32 MB     00:06 ...
(2/2): kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64.r |  28 MB     00:06 ...
--------------------------------------------------------------------------------
Total                                           4.8 MB/s |  60 MB     00:12
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA512 Signature, key ID 7e931c7c: NOKEY
Retrieving key from https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
Importing GPG key 0c4F842D6D:
 Userid: "user@example.com"
 From  : https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              1/3
  Installing : kernel-2.6.32-642.4.199.cpanel6.x86_64                       2/3
adding symlink protection for user: nobody
Please reboot to enable symlink protection for user: nobody
  Cleanup    : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3
  Verifying  : kernel-2.6.32-642.4.199.cpanel6.x86_64                       1/3
  Verifying  : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              2/3
  Verifying  : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3

Installed:
  kernel.x86_64 0:2.6.32-642.4.199.cpanel6

Dependency Updated:
  kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6

Complete!

 


 

 

 

Restart the server

After you update the kernel, you must restart the system to complete the kernel update. To reboot the server, run the reboot command.

This command returns output that resembles the following example:

Broadcast message from user@example.com
(/dev/pts/0) at 13:02 ...
The system is going down for reboot NOW!
bash-4.1# Connection to example.com closed by remote host.

 


 

Verify the kernel update

After you reboot your server, verify that the cPanel Hardened Kernel update succeeded. To verify that your update was successful, log in to the server as the root user via SSH and run the uname command. This command returns output that resembles the following example:

[user@example.com ~]$ uname -r
*2.6.32-573.22.199.cpanel6.x86_64

If the command's output includes cpanel in the returned value, you successfully updated the kernel.

 


Additional documentation