The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[IMPLEMENTED] Case 63676: Provide optional symlink protection patch

Discussion in 'Security' started by JeffP., Mar 6, 2013.

  1. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    10
    Trophy Points:
    18
  2. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Yay! Thanks guys
     
  3. AlexisMeroni

    AlexisMeroni Active Member

    Joined:
    Feb 9, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    How i install the patch ? :s
     
  4. PenguinInternet

    PenguinInternet Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2007
    Messages:
    149
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cardiff, UK
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    EasyApache, Exhaustive Options, Symlink Race Condition Protection
     
  5. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Please explain how is it working? What is the difference between this patch and patch provided by Rack911?
     
  6. AlexisMeroni

    AlexisMeroni Active Member

    Joined:
    Feb 9, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The patch don't work :mad: :'( I return to my old safe_mode security --'
     
  7. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Still waiting for explanation why this patch is better - for example - than removing FollowSymLinks option from core.c in Apache?
     
  8. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    Having CL with cagefs and securelinks on this still needed ?
     
  9. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Yes. Despite the wording, this patch does nothing to prevent Apache following symlinks when the target is owned by another user. This patch only closes a race condition. You will still need to use 3rd party patches / software or totally disable FollowSymLinks and remove it from AllowOverride in order to protect your servers.
     
  10. PeteN

    PeteN Registered

    Joined:
    Apr 12, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    We attempted to add this patch via EasyApache and compile failed with mod_sec errors.

    "Syntax error on line 306 of /usr/local/apache/conf/modsec/10_asl_rules.conf:
    SecRule takes two or three arguments, rule target, operator and optional action list"

    The rules were adjusted and the patch then applied sucessfuly.

    Unfortunately my server Shared SSL certificate then stopped working (.css and .js files giving 404 errors when using shared ssl links like https://sslcertsite.com/~accountname/index.php). Which caused havok with my webstore customers till discovered and rectified.

    Patch was then removed, except we had even more problems with mod_sec. So removed mod_sec profile completely and were then able to uninstall the patch.

    A disaster of a weekend.

    Can somebody confirm this Symlink patch does/does not stop Shared SSL certificates from working?

    And it would be very much appreciated if somebody would bullet point list all the necessary actions to perform on a CentOS cPanel server running suPHP to stop the symlink exploit as best as possible at the moment? We have already done the "config files to chmod 600 (and 400 sometimes)" and I am running cxswatch to help protect the server.

    Cheers,
    Pete
     
    #10 PeteN, Mar 11, 2013
    Last edited: Mar 11, 2013
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Pete,

    Your modsec compile errors are unrelated to the symlink patch. Guessing by your file names for your modsec rules, you need the newer copy of the ASL modsec rules.

    With the shared SSL issue, I speculate that this patch makes it so served files have to be owned by the vhost owner, so there is a decent chance it will break things for you in that situation.
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You sure about that? I removed the 3rd party patch (Steven's patch) that I was using, and compiled apache 2.2.24 with the new "Symlink Race Condition Protection." Trying to abuse it, I get errors like this:

    [Mon Mar 11 17:13:24 2013] [error] [client $myIP] Caught race condition abuser. attacker: 506, victim: 507 open file owner: 507, open file: /home/HOMEDIR1/public_html/1.txt/home/HOMEDIR2/public_html/index.html

    EDIT: This patch appers to work differently than Steven's (Rack911) patch. This patch checks the files / targets of links being served to make sure they're owned by the vhost owner. With SuPHP this is no problem, however, It looks like this could cause some serious problems for people who use DSO. If I switch from SuPHP to DSO and my webapp uploads a file which is then owned by 'nobody,' this patch stops that file from being served (no symlinks involved with this test):

    [Mon Mar 11 17:48:54 2013] [error] [client $myIP] Caught race condition abuser. attacker: 506, victim: 99 open file owner: 99, open file: /home/HOMEDIR/public_html/blog/apachetest.html

    If you don't use SuPHP, Steven's patch is still probably a better option.
     
    #12 quizknows, Mar 11, 2013
    Last edited: Mar 11, 2013
  13. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I checked with cPanel support and they advised that this only closes the race condition.

    "Could you please tell me, does this only close the SymLinksIfOwnerMatch race condition, or does this also force SymLinksIfOwnerMatch or otherwise prevent Apache from following symlinks where the target is owned by another user?"
    Can cPanel please confirm what this patch ACTUALLY does? It seems that the changelog says 1 thing, support says another and someone's experience says yet another.
     
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    LDHosting, if you run an EA with the patch selected, it leaves it behind after the build. You can read it yourself:
    /home/cpeasyapache/src/cppatch/symlink-protection.patch

    It seems they used a page out of this book: Introducing SecureLinks for Apache

    "note that ALL static files have to be owned by user for them to be served. Any files owned by root, or any other user will result in Access Denied when SecureLinks are enabled. " <- is exactly what I exprienced. This is a pretty backwards way to patch this IMO. "it makes sure that the file that will be served by Apache is owned by the same user, as the owner of VirtualHost. We pick up the owner of virtual host from SuexecUserGroup directive." In other words, if you're using DSO, you're going to have a bad time.

    Correct me if I'm wrong, but my brief experience with this patch, and my quick reading of the code in the patch file seems to back the above information. In all technicality it doesn't touch followsymilnks or symlinksifownermatch themselves, but it does stop apache from serving any files (or link target files) that aren't owned by the vhost owner.

    I can't tell you where I work, but we have thousands and thousands of cPanel servers. I've already had 5 servers this week with every single wordpress site defaced via symlink. For the last month we've probably had an average of 3 customers per day who wake up to find every WP/joomla site hacked on their box because of this. I've been installing (and will continue to install) the rack911 patch to prevent this, and it's doing a fine job.
     
    #14 quizknows, Mar 12, 2013
    Last edited: Mar 12, 2013
  15. AlexisMeroni

    AlexisMeroni Active Member

    Joined:
    Feb 9, 2013
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Why you don't use a security with safe_mode or with CLOUDLINUX & CageFS ?
     
  16. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Shared hosting environments we do use Cloudlinux. However, not all dedicated server customers want cloudlinux and most just use centOS with cPanel. For those servers, a patch is needed to prevent mass-defacing of CMS sites if one users CMS gets compromised.
     
  17. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Something tells me this thread is not getting much attention.
     
  18. ikillbill

    ikillbill Well-Known Member

    Joined:
    Feb 18, 2008
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Hi
    We are also curious about how this works with rack911 's Steven 's patch please?

    maybe this post is on wrong forum? not much involvements~
     
  19. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It's an either or per cPanel's documentation at Symlink Race Condition Protection

     
  20. cPanelKurtN

    cPanelKurtN Well-Known Member
    Staff Member

    Joined:
    Jan 29, 2013
    Messages:
    95
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    #20 cPanelKurtN, Mar 26, 2013
    Last edited: Mar 26, 2013
Loading...

Share This Page