CageFS is extremely powerful at stopping most information disclosure attacks, where hacker can read sensitive files like /etc/passwd.
Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in webdav server, cPanel file manager & webmail, as well as some FTP servers don’t include proper change rooting.
This allows attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, filemanager, or webmail to read the content of that file.
Starting with CL6 kernel 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing user from creating symlinks & hardlinks to files that they don’t own.
This is done by set following kernel options to 1:
fs.protected_symlinks_create = 1
fs.protected_hardlinks_create = 1
This will prevent user from creating symlinks to files they don’t own.
For the cases where you still need user to be able to create symlinks & hardlinks to files not owned by them, set the group ID of those files to group ‘linksafe’ (create that group if doesn’t exist yet).
fs.protected_symlinks_allow_gid = id_of_group_linksafe
fs.protected_hardlinks_allow_gid = id_of_group_linksafe
This is for example needed by PHP selector to work (new versions of Alt-PHP can already correctly configure those settings).
To manually adjust the settings, edit: