The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPKernel Symlink Protection

Discussion in 'Security' started by anton_latvia, Sep 28, 2016.

Tags:
  1. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    We have installed latest kernel provided by cPanel on our development server, but as far as I can see - simulated symlink through .htaccess still works just fine. :-(
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    #2 ThinIce, Sep 29, 2016
    Last edited by a moderator: Sep 30, 2016
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    ok.. I haven't set anything in sysctl. Which values should be set there? could you please share for the benefit of others? :)
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you also let us know the specific steps you are taking to reproduce the issue?

    Thanks.
     
  5. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Sure.
    Our test server runs Centos6, WHM-EDGE version (development license), EasyApache 4 (mod_itk, mod_fcgi).
    I have added cPanel kernel repository and installed kernel from there. rebooted.

    then I created folder on inside test account and put small .htaccess file in there

    Code:
    Options all
    DirectoryIndex Sux.html
    AddType textplain .php
    AddType textplain .conf
    AddType textplain .sql
    AddType textplain .log
    AddHandler server-parsed .php
    AddHandler txt .html
    and created symlink to root catalong

    Code:
    ln -s / root
    when browsing our test-domain/subfolder/root/ - I get list of folder from our root and can browser other subfolders and view files.

    Even if I disable "Option Indexes" in Apache configuration - this still works fine and it is possible to browse quite a lot of folders.

    The only workaround we have found so far, which is actually working is to add the following rules to global pre-virtual host include file:

    Code:
    <Directory "/">
      Options ExecCGI IncludesNOEXEC SymLinksIfOwnerMatch
      AllowOverride AuthConfig FileInfo Limit Indexes
    </Directory>
    This will give "500 Internal server error" status, but not due to security or patch - this override does not allow Option-overriding through .htaccess files. Basically this gives a little headache to customers, since they can't have "Options ....." in any of their .htaccess files and we have to override various stuff manually through custom includes. But we consider that this is better, than letting hackers browse through our files and folders. I was just hoping, that kernel patch would detect and fix it somehow... :)

    P.S. there's a new kernel for Centos and yum will catch up kernel from Centos, rather than from cPanel repo.

    P.S.: I wonder if some extra configuration is needed for cPanel kernel to do the job? and I wonder what exactly it will do... :)
     
    #5 anton_latvia, Oct 6, 2016
    Last edited: Oct 6, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for taking the time to provide us with the additional information. Could you also post the output from some additional commands?

    Code:
    uname -r
    sysctl -a |grep symlink
    id nobody
    /usr/local/cpanel/bin/rebuild_phpconf --current
    sysctl -p
    The "fs.symlinkown_gid" value should match the GID associated with the nobody user on the system (99 by default on cPanel servers). With "fs.enforce_symlinksifowner" set to 1, and "fs.symlinkown_gid" set to 99, attempts by cPanel users to follow symbolic links should fail if they are owned by that cPanel user, but point to a file owned by another cPanel user.

    Thank you.
     
  7. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Code:
    
    [root@dev ~]# uname -r
    2.6.32-642.6.199.cpanel6.x86_64
    
    [root@dev ~]# sysctl -a | grep symlink
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99
    
    [root@dev ~]# id nobody
    uid=99(nobody) gid=99(nobody) groups=99(nobody)
    
    [root@dev ~]# /usr/local/cpanel/bin/rebuild_phpconf --current
    DEFAULT PHP: ea-php56
    ea-php54 SAPI: cgi
    ea-php55 SAPI: cgi
    ea-php56 SAPI: cgi
    ea-php70 SAPI: cgi
    
    [root@dev ~]# sysctl -p
    net.ipv4.ip_forward = 0
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    kernel.shmmax = 68719476736
    kernel.shmall = 4294967296
    fs.symlinkown_gid = 99
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I've not been able to reproduce this behavior when creating this symbolic link while logged in as the account username. Are you creating this symbolic link via SSH as the individual account username or as the "root" user?

    Thank you.
     
  9. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    yes, i created symlink as "root".. i guess that explains it?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, for instance, if fs.enforce_symlinksifowner is set to 1, and fs.symlinkown_gid is set to 99, then processes with GID 99 (Apache) will not be able to follow symlinks if they are owned by user1, but point to file owned user2.

    Thank you.
     
Loading...

Share This Page