Disable Symlink per account, it's possible?

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
Hi,

I have one server compiled with apache 2.2 php 5.4 and mod_fcgid, no mod_ruid2 or ITK only the checkbox about protect from symlink race.

I was using the default Cpanel error pages so right now I am full with error like

Code:
Caught race condition abuser. attacker: 962, victim: 0 open file owner: 0, open file: /usr/local/cpanel/htdocs/404.shtml
Now I disabled the CSF module that block symlink race

But What should be the best to do?

Can I add some configuration in /usr/local/cpanel/htdocs/ (like chmod own) that make it possible to read from wherever account?

Can I disable the symlink verification for some accounts than need to read other users data?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

Per our documentation:

If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect.

Thus, it's not really advised to allow it on any account. The following document should be helpful:

Symlink Race Condition Protection

I suggest using one of the patches labeled "RECOMMENDED" and then checking to see if the issue persists.

Thank you.
 

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
The "RECOMMENDED" options are just two

mod_ruid + jailshell -> not compatible with mod_fcgid
cagefs -> not possible in centos

I understand how symlink race condition works and I know how to test if a server is vulnerable,

What I don't know is what these options do to the configuration of Easy Apache

In the "Exhaustive Options List"
Under "first-section Apache Built-in Modules"

Code:
[ ] Fileprotect
Prevent Users from reading other webroots 

[ ] Symlink Race Condition Protection
And under
PHP 5.5.17 (Be sure to "harden" your PHP since PHP has many security issues)

Code:
[ ] Safe PHP CGI
prevents users from overriding system php.ini
In the last build I just checked the "Symlink Race Condition Protection" and I have no idea what patch was used the same with the other options that are quite important to add more security.

What I am doing to add security are a set of permissions (that probably only will work with php running with mod_fcgid), php.ini per user with disable functions and basedir restrictions and some other restrictions in the vhost configuration of apache. and no ssh of course

Maybe if you can answer about that three options I can find the way to disable or enable that patches by account.

Thanks!
 
Last edited:

ITGabs

Well-Known Member
Jul 30, 2013
81
0
6
cPanel Access Level
Root Administrator
I found the info in the same page

"Symlink Race Condition Protection" = Bluehost.com-provided patch