Link Traversal Protection

Navigation:  Kernel Settings > SecureLinks >

Link Traversal Protection

Previous pageReturn to chapter overviewNext page

CageFS is extremely powerful at stopping most information disclosure attacks, where a hacker could read sensitive files like /etc/passwd.


Yet, CageFS does not work in each and every situation. For example, on cPanel servers, it is not enabled in WebDAV server, cPanel file manager and webmail, as well as some FTP servers don’t include proper change rooting.


This allows an attacker to create symlink or hardlink to a sensitive file like /etc/passwd and then use WebDAV, filemanager, or webmail to read the content of that file.


Starting with CL6 kernel 2.6.32-604.16.2.lve1.3.45, you can prevent such attacks by preventing user from creating symlinks and hardlinks to files that they don’t own.


This is done by set following kernel options to 1:


fs.protected_symlinks_create = 1

fs.protected_hardlinks_create = 1


However, we do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality.


Please, note that Link Traversal Protection is disabled by default for the new CloudLinux OS installations/convertations.


fs.protected_symlinks_create = 0

fs.protected_hardlinks_create = 0


Then setup:


fs.protected_symlinks_allow_gid = id_of_group_linksafe

fs.protected_hardlinks_allow_gid = id_of_group_linksafe


This is for example needed by PHP selector to work (new versions of Alt-PHP can already correctly configure those settings).


To manually adjust the settings, edit:




and execute:


sysctl -p /etc/sysctl.d/cloudlinux-linksafe.conf




sysctl --system