The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable Symlink per account, it's possible?

Discussion in 'Security' started by ITGabs, Sep 24, 2014.

  1. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    I have one server compiled with apache 2.2 php 5.4 and mod_fcgid, no mod_ruid2 or ITK only the checkbox about protect from symlink race.

    I was using the default Cpanel error pages so right now I am full with error like

    Code:
    Caught race condition abuser. attacker: 962, victim: 0 open file owner: 0, open file: /usr/local/cpanel/htdocs/404.shtml
    
    Now I disabled the CSF module that block symlink race

    But What should be the best to do?

    Can I add some configuration in /usr/local/cpanel/htdocs/ (like chmod own) that make it possible to read from wherever account?

    Can I disable the symlink verification for some accounts than need to read other users data?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Per our documentation:

    If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect.

    Thus, it's not really advised to allow it on any account. The following document should be helpful:

    Symlink Race Condition Protection

    I suggest using one of the patches labeled "RECOMMENDED" and then checking to see if the issue persists.

    Thank you.
     
  3. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The "RECOMMENDED" options are just two

    mod_ruid + jailshell -> not compatible with mod_fcgid
    cagefs -> not possible in centos

    I understand how symlink race condition works and I know how to test if a server is vulnerable,

    What I don't know is what these options do to the configuration of Easy Apache

    In the "Exhaustive Options List"
    Under "first-section Apache Built-in Modules"

    Code:
    [ ] Fileprotect
    Prevent Users from reading other webroots 
    
    [ ] Symlink Race Condition Protection 
    And under
    PHP 5.5.17 (Be sure to "harden" your PHP since PHP has many security issues)

    Code:
    [ ] Safe PHP CGI
    prevents users from overriding system php.ini
    In the last build I just checked the "Symlink Race Condition Protection" and I have no idea what patch was used the same with the other options that are quite important to add more security.

    What I am doing to add security are a set of permissions (that probably only will work with php running with mod_fcgid), php.ini per user with disable functions and basedir restrictions and some other restrictions in the vhost configuration of apache. and no ssh of course

    Maybe if you can answer about that three options I can find the way to disable or enable that patches by account.

    Thanks!
     
    #3 ITGabs, Sep 26, 2014
    Last edited: Sep 26, 2014
  4. ITGabs

    ITGabs Well-Known Member

    Joined:
    Jul 30, 2013
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I found the info in the same page

    "Symlink Race Condition Protection" = Bluehost.com-provided patch
     
Loading...

Share This Page