The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Symlink protection with EA4

Discussion in 'EasyApache' started by quizknows, Oct 20, 2015.

  1. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Is there an equivalent of the bluehost patch, or another cross-account symlink protection, in EA4 for non-cloudlinux servers?

    (Edit)

    So this is interesting, if I try to symlink cross-account, it won't serve unless I chown the target file to the same owner as the link. It returns a 403 otherwise. However, I'm not seeing WHY it denies it, even with loglevel debug or trace6. It seems almost as if there's protection built in but I cannot figure out how or where. Any insight would be appreciated.
     
    #1 quizknows, Oct 20, 2015
    Last edited: Oct 20, 2015
  2. tfmm

    tfmm Registered

    Joined:
    Jul 14, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Lansing, MI
    cPanel Access Level:
    DataCenter Provider
    So I was working with quizknows on this in person, and found that the behavior noted in his edit is due to "SymLinkIfOwnerMatch" being set in the httpd.conf. If I comment out that option, SymLinks are followed without issue.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for updating this thread with the outcome. Could you verify if this addresses the question?

    Thank you.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Michael,

    No, it doesn't address the question. We are simply confirming that it is currently possible to exploit cross-account symlinks in EA4 and are unaware of a solution outside of cloudlinux/cagefs (such as the bluehost patch currently in EA).
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There's no update to report on these options in EasyApache 4 at this time. The "SymLinkIfOwnerMatch" option is enabled by default in:

    "WHM Home » Service Configuration » Apache Configuration » Global Configuration"

    Thank you.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page