Link Traversal Protection

Navigation:  Kernel Settings > SecureLinks >

Link Traversal Protection

Previous pageReturn to chapter overviewNext page

CageFS is extremely powerful at stopping most information disclosure attacks, where hacker can read sensitive files like /etc/passwd.


Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in webdav server, cPanel file manager & webmail, as well as some FTP servers don’t include proper change rooting.


This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, filemanager, or webmail to read the content of that file.


Starting with CL6 kernel 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing user from creating symlinks & hardlinks to files that they don’t own.


This is done by set following kernel options to 1:


fs.protected_symlinks_create = 1

 fs.protected_hardlinks_create = 1


This will prevent user from creating symlinks to files they don’t own.


For the cases where you still need user to be able to create symlinks & hardlinks to files not owned by them, set the group ID of those files to group ‘linksafe’ (create that group if doesn’t exist yet).


Then setup:


fs.protected_symlinks_allow_gid = id_of_group_linksafe

fs.protected_hardlinks_allow_gid = id_of_group_linksafe


This is for example needed by PHP selector to work (new versions of Alt-PHP can already correctly configure those settings).


To manually adjust the settings, edit:




and execute:


$ sysctl -p