Symlink Owner Match Protection

Navigation:  Kernel Settings > SecureLinks >

Symlink Owner Match Protection

Previous pageReturn to chapter overviewNext page

fs.enforce_symlinksifowner

 

To protect against symlink attack where attacker tricks Apache web server to read some other user PHP config files, or other sensitive file, enable:

 

fs.enforce_symlinksifowner=1.

 

Setting this option will deny any process running under gid fs.symlinkown_gid to follow the symlink if owner of the link doesn’t match the owner of the target file.

 

Defaults:

 

fs.enforce_symlinksifowner = 1

fs.symlinkown_gid = 48

 

fs.enforce_symlinksifowner = 0

do not check symlink ownership

fs.enforce_symlinksifowner = 1

deny if symlink ownership doesn’t match target, and process gid matches symlinkown_gid

When fs.enforce_symlinksifowner set to 1, processes with GID 48 will not be able to follow symlinks if they are owned by user1, but point to file owned user2.

 

Please, note that fs.enforce_symlinksifowner = 2 is deprecated and can cause issues for the system operation.

 

fs.symlinkown_gid

 

On standard RPM Apache installation, Apache is usually running under GID 48.

On cPanel servers, Apache is running under user nobody, GID 99.

 

To change GID of processes that cannot follow symlink, edit the file /etc/sysctl.conf, add the line:

 

fs.symlinkown_gid = XX

 

And execute:

 

$ sysctl -p

 

To disable symlink owner match protection feature, set fs.enforce_symlinksifowner = 0 in /etc/sysctl.conf, and execute

 

$ sysctl -p

 

/proc/sys/fs/global_root_enable [CloudLinux 7 kernel only] [applicable for kernels 3.10.0-427.36.1.lve1.4.42+]

 

/proc/sys/fs/global_root_enable flag enables following the symlink with root ownership. If global_root_enable=0, then Symlink Owner Match Protection does not verify the symlink owned by root.

 

For example, in the path /proc/self/fd, self is a symlink, which leads to a process directory.  The symlink owner is root. When global_root_enable=0, Symlink Owner Match Protection excludes this element from the verification. When global_root_enable=1, the verification will be performed, which could block the access to fd and cause violation of the web-site performance.

 

It is recommended to set /proc/sys/fs/global_root_enable=0 by default. If needed, set /proc/sys/fs/global_root_enable=1 to increase the level of protection.