CloudLinux - CloudLinux Blog - Symlink protection and cPanel
CloudLinux OS Blog

Symlink protection and cPanel

Symlink protection and cPanel

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.

This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, file manager, or webmail to read the content of that file.

Starting with CL6 kernel version 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing a user from creating symlinks and hardlinks to the files that they do not own.

This is done by setting the following kernel options to 1:

fs.protected_symlinks_create = 1

fs.protected_hardlinks_create = 1

However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality. We recommend to set it to 0:

fs.protected_symlinks_create = 0

Please note that this is a temporary measure. We are not abandoning this protection completely, but working on a new symlink protection feature that will work as a blacklist, which must be out later in Q2 or early in Q3.

To manually adjust the settings edit:

/etc/sysctl.conf

Change line: to:

fs.protected_symlinks_create = 0

and execute:

$ sysctl -p
Major vulnerability: The Stack Clash security issu...
Issues caused by the latest KernelCare update and ...
 

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/