CloudLinux - CloudLinux Blog - Symlink protection and cPanel
Blog

Symlink protection and cPanel

Symlink protection and cPanel

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.

This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, file manager, or webmail to read the content of that file.

Starting with CL6 kernel version 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing a user from creating symlinks and hardlinks to the files that they do not own.

This is done by setting the following kernel options to 1:

fs.protected_symlinks_create = 1

fs.protected_hardlinks_create = 1

However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality. We recommend to set it to 0:

fs.protected_symlinks_create = 0

Please note that this is a temporary measure. We are not abandoning this protection completely, but working on a new symlink protection feature that will work as a blacklist, which must be out later in Q2 or early in Q3.

To manually adjust the settings edit:

/etc/sysctl.conf

Change line: to:

fs.protected_symlinks_create = 0

and execute:

$ sysctl -p
Major vulnerability: The Stack Clash security issu...
Issues caused by the latest KernelCare update and ...
 

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.