To enable the symlink protection, perform the following steps:
First, install KernelCare client:
curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bashEnable free patch type, this patch type doesn't require a license
kcarectl --set-patch-type free --updateThe ‘free’ patch will be applied on the next update.
. . .
During the installation, you should see something similar to:
OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40uname: 2.6.32-642.15.1.el6
kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6kpatch-cve: N/A
kpatch-cvss: N/Akpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99
Execute:
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
Make sure to set the correct gid=? To your particular apache set up
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
Note2: On Directadmin Servers Apache is usually running under GID 499-1003
To find your GID
grep nobody /etc/group
orgrep apache /etc/group
Depending on how apache was installed