Link Traversal Protection

Navigation:  Kernel Settings > SecureLinks >

Link Traversal Protection

Previous pageReturn to chapter overviewNext page

CageFS is extremely powerful at stopping most information disclosure attacks, where hacker can read sensitive files like /etc/passwd.

 

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in webdav server, cPanel file manager & webmail, as well as some FTP servers don’t include proper change rooting.

 

This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, filemanager, or webmail to read the content of that file.

 

Starting with CL6 kernel 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing user from creating symlinks & hardlinks to files that they don’t own.

 

This is done by set following kernel options to 1:

 

fs.protected_symlinks_create = 1

 fs.protected_hardlinks_create = 1

 

This will prevent user from creating symlinks to files they don’t own.

 

For the cases where you still need user to be able to create symlinks & hardlinks to files not owned by them, set the group ID of those files to group ‘linksafe’ (create that group if doesn’t exist yet).

 

Then setup:

 

fs.protected_symlinks_allow_gid = id_of_group_linksafe

fs.protected_hardlinks_allow_gid = id_of_group_linksafe

 

This is for example needed by PHP selector to work (new versions of Alt-PHP can already correctly configure those settings).

 

To manually adjust the settings, edit:

 

/etc/sysctl.conf

 

and execute:

 

$ sysctl -p