Link Traversal Protection

Navigation:  Kernel Settings > SecureLinks >

Link Traversal Protection

Previous pageReturn to chapter overviewNext page

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.

 

Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.

 

This allows an attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, filemanager, or webmail to read the content of that file.

 

Starting with CL6 kernel 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing user from creating symlinks & hardlinks to files that they don’t own.

 

This is done by set following kernel options to 1:

 

fs.protected_symlinks_create = 1

 fs.protected_hardlinks_create = 1

 

However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality.

Please, note that this is a temporary measure. We are not abandoning this protection completely, but working on a new symlink protection feature that will work as a blacklist, and should be out later in Q2 or early in Q3.

 

Then setup:

 

fs.protected_symlinks_allow_gid = id_of_group_linksafe

fs.protected_hardlinks_allow_gid = id_of_group_linksafe

 

This is for example needed by PHP selector to work (new versions of Alt-PHP can already correctly configure those settings).

 

To manually adjust the settings, edit:

 

/etc/sysctl.conf

 

and execute:

 

$ sysctl -p