CloudLinux OS Blog

Symlink protection and cPanel

Symlink protection and cPanel

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.

This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, file manager, or webmail to read the content of that file.

Starting with CL6 kernel version 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing a user from creating symlinks and hardlinks to the files that they do not own.

This is done by setting the following kernel options to 1:

fs.protected_symlinks_create = 1

fs.protected_hardlinks_create = 1

However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality. We recommend to set it to 0:

fs.protected_symlinks_create = 0

Please note that this is a temporary measure. We are not abandoning this protection completely, but working on a new symlink protection feature that will work as a blacklist, which must be out later in Q2 or early in Q3.

To manually adjust the settings edit:

/etc/sysctl.conf

Change line: to:

fs.protected_symlinks_create = 0

and execute:

$ sysctl -p

Topic: CloudLinux OS Blog , Tags: #cPanel,

3281 people viewed this

Comments (7)

 
by Guest - Ryan Smith / Tuesday, 25 April 2017 19:50

What cPanel functionality might symlink protection break?

I've had this enabled for a long time and only found cPanel transfers to be problematic but disabling it before hand and re-enabling after did the trick.

Are there any other problems to be aware of?

What cPanel functionality might symlink protection break? I've had this enabled for a long time and only found cPanel transfers to be problematic but disabling it before hand and re-enabling after did the trick. Are there any other problems to be aware of?
by Mykola Naugolnyi / Wednesday, 26 April 2017 06:52

Hi Ryan,

It affected lsapi functionality (basically, all PHP websites where lsapi has been enabled) and account transfers.

If you did not face issues previously you can leave it enabled.

Hi Ryan, It affected lsapi functionality (basically, all PHP websites where lsapi has been enabled) and account transfers. If you did not face issues previously you can leave it enabled.
by Guest - Ryan Smith / Wednesday, 26 April 2017 14:01

What issues occur with lsapi? We either use LiteSpeed or Apache + mod_lsapi across our servers and only encountered issues when transferring accounts. Just want to make sure there's not a problem we've been overlooking.

What issues occur with lsapi? We either use LiteSpeed or Apache + mod_lsapi across our servers and only encountered issues when transferring accounts. Just want to make sure there's not a problem we've been overlooking.
by Mykola Naugolnyi / Wednesday, 26 April 2017 14:16

Please address your question to our support on the link https://www.cloudlinux.com/support to get a more detailed answer.

Please address your question to our support on the link https://www.cloudlinux.com/support to get a more detailed answer.
by Bogdan / Wednesday, 26 April 2017 17:44

Actually, issues with lsapi were noted only on CloudLinux 7 and when /proc/sys/fs/global_root_enable were set to 1. By default it is 0 and should not cause any problems.

Actually, issues with lsapi were noted only on CloudLinux 7 and when /proc/sys/fs/global_root_enable were set to 1. By default it is 0 and should not cause any problems.
by Guest - Morris / Wednesday, 26 April 2017 11:33

We also have had these settings on all servers for a long time now:
fs.protected_symlinks_create = 1
fs.protected_hardlinks_create = 1

We have not have had any issues with lsphp/account transfers or anything else on our 60+ servers.

I'm not quite sure what you really mean by this post at all?

We also have had these settings on all servers for a long time now: fs.protected_symlinks_create = 1 fs.protected_hardlinks_create = 1 We have not have had any issues with lsphp/account transfers or anything else on our 60+ servers. I'm not quite sure what you really mean by this post at all?
by Mykola Naugolnyi / Wednesday, 26 April 2017 14:16

Please address your question to our support on the link https://www.cloudlinux.com/support to get a more detailed answer.

Please address your question to our support on the link https://www.cloudlinux.com/support to get a more detailed answer.

Leave your comment

Guest, Monday, 28 May 2018

Captcha Image