Disable Symlink per account, it's possible?

[ITGabs]

Hi,

I have one server compiled with apache 2.2 php 5.4 and mod_fcgid, no mod_ruid2 or ITK only the checkbox about protect from symlink race.

I was using the default Cpanel error pages so right now I am full with error like

Caught race condition abuser. attacker: 962, victim: 0 open file owner: 0, open file: /usr/local/cpanel/htdocs/404.shtml

Now I disabled the CSF module that block symlink race

But What should be the best to do?

Can I add some configuration in /usr/local/cpanel/htdocs/ (like chmod own) that make it possible to read from wherever account?

Can I disable the symlink verification for some accounts than need to read other users data?

 

[cPanelMichael]

Hello

Per our documentation:

If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect.

Thus, it's not really advised to allow it on any account. The following document should be helpful:

Symlink Race Condition Protection

I suggest using one of the patches labeled "RECOMMENDED" and then checking to see if the issue persists.

Thank you.

 

[ITGabs]

The "RECOMMENDED" options are just two

mod_ruid + jailshell -> not compatible with mod_fcgid
cagefs -> not possible in centos

I understand how symlink race condition works and I know how to test if a server is vulnerable,

What I don't know is what these options do to the configuration of Easy Apache

In the "Exhaustive Options List"
Under "first-section Apache Built-in Modules"

[ ] Fileprotect
Prevent Users from reading other webroots 

[ ] Symlink Race Condition Protection

And under
PHP 5.5.17 (Be sure to "harden" your PHP since PHP has many security issues)

[ ] Safe PHP CGI
prevents users from overriding system php.ini

In the last build I just checked the "Symlink Race Condition Protection" and I have no idea what patch was used the same with the other options that are quite important to add more security.

What I am doing to add security are a set of permissions (that probably only will work with php running with mod_fcgid), php.ini per user with disable functions and basedir restrictions and some other restrictions in the vhost configuration of apache. and no ssh of course

Maybe if you can answer about that three options I can find the way to disable or enable that patches by account.

Thanks!

 

[ITGabs]

I found the info in the same page

"Symlink Race Condition Protection" = Bluehost.com-provided patch