How to Prevent Creating Symbolic Links for non root users?

[rajguru]

How to prevent following on the server.

Server got hacked by creating symlink under non root user.

Example: Once you cd 1.txt then you will get full access to /

1.txt -> //

Please advise.

[lbeachmike]

Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this.

Any advice would be much appreciated.

Thanks.

[rajguru]

Hi lbeachmike,

We can disable it in httpd.conf but hacker is enabling it under .htaccess as follows. So we can not disable it in Apache configuration. Also chmoded 700 to ln.
-----------
Options +FollowSymLinks
-----------

Please advise us.

[cPanelTristan]

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

[IBZ]

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

FollowSymLinks still can be enabled by .htaccess .
Im also looking for solution for this issue .

[majidnt]

You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink

How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

Code:

<Directory "/">
    Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options Includes Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

[lbeachmike]

You shoud use this code on /usr/local/apache/conf/includes/pre_virtualhost_2.conf
But it's not enough to prevent USING symlinks,attackers upload 1.zip and extract it,the file contain a ready-to-use symlink

Excellent point - bringing my question back to -

Is there a way to ensure that a user would in no way have access to files outside of their home directory? I realize the symlink looks and feels like part of the home directory, but there certainly must be some viable solution to this otherwise any hacker can fully exploit any server with the very same recipe.

mrk

[rajguru]

Hello,

Can we set Sticky bit for / or /home so only owner can delete/modify the files like /tmp?

[KhensU]

So other than disabling FollowSymlinks all together are their any other solutions to this? We just got hit as well.

[neutro]

Got hit like this as well. how to prevent -if we disable follow symlinks any impact on web sites?

[DomineauX]

Seeing more of these attacks as well lately.

[astopy]

Wait... creating a symlink to / won't give the user write access to anything they didn't already have write access to -- symlinks don't give the user any extra privileges. What exactly is the problem here?

I'm aware of the problems of Apache following symlinks to other users' files, but as someone already pointed out all you need to do to stop that is disable FollowSymlinks, turn on SymLinksIfOwnerMatch and make sure FollowSymlinks isn't in AllowOverride. (And also be prepared to deal with all the support requests from people who try to install scripts with "Options +FollowSymlinks" in their default .htaccess files. Joomla, I'm looking at you )

[BigLebowski]

What exactly is the problem here?

It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.

[astopy]

It's a massive problem. It allows a hacker to browse all public_html areas on the server. All our Wordpress config files were world-readable (644) therefore the hacker could plunder any user's Wordpress install. I have worked around this by chmodding all wp-config.php files 600 (it's a SuPHP server) and am now doing Joomla, but in theory I need to chmod 600 ALL users files on the server containing any password. It's a nuisance having to do this and of course i need to cron job it so that all new sensitive files uploaded are similarly chmodded if world-readable.

Again, surely disabling FollowSymlinks and only allowing SymLinksIfOwnerMatch would prevent that?

[BigLebowski]

Astopy: does that interfere with any existing apps such as Joomla and Wordpress? I like the sound of "SymLinksIfOwnerMatch". We would need to disable local php.ini also, which is allowed currently.

Best
Dude