Symlink protection and cPanel

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.

This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, file manager, or webmail to read the content of that file.

Starting with CL6 kernel version 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing a user from creating symlinks and hardlinks to the files that they do not own.

This is done by setting the following kernel options to 1:

fs.protected_symlinks_create = 1

fs.protected_hardlinks_create = 1

However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality. We recommend to set it to 0:

fs.protected_symlinks_create = 0

Please note that this is a temporary measure. We are not abandoning this protection completely, but working on a new symlink protection feature that will work as a blacklist, which must be out later in Q2 or early in Q3.

To manually adjust the settings edit:


Change line: to:

fs.protected_symlinks_create = 0

and execute:

$ sysctl -p