Getting started with CloudLinux OS Shared

Activating SecureLink

SecureLinks is a kernel-level technology that prevents all known symbolic link (symlink) attacks. It enhances the security level of the servers even further and prevents malicious users from creating a symbolic link to files (where an attacker tricks Apache Web server to read some other user’s PHP config files or other sensitive files).

To protect against symlink attacks, change or add fs.enforce_symlinksifowner=1 in /etc/sysctl.conf file then apply changes with:

# sysctl -p

Setting this option will deny any process running under gid fs.symlinkown_gid to follow the symlink if the owner of the link doesn’t match the owner of the target file.

More information on this topic can be found here.

Activate SecureLinks, even if CageFS is running. Here is why:

CageFS is extremely effective at stopping most information disclosure attacks, in which a hacker can get sensitive information from files like /etc/passwd. However, in some cases, CageFS cannot protect against symbolic link attacks. For example, on cPanel servers, it is not enabled in the WebDAV server, cPanel file manager, and webmail, as well as some FTP servers that don’t include proper change rooting. This allows attackers to create symlinks or hardlinks to files like /etc/passwd and then use WebDAV, file manager, or webmail to read the content of those files.

You can prevent such attacks by not allowing users to create symlinks and hardlinks to files that they don’t own:

Add following to /etc/sysctl.conf:

fs.protected_symlinks_create = 1
fs.protected_hardlinks_create = 1

Then apply changes with:

# sysctl -p

With CloudLinux OS Shared SecureLink, you can prevent such attacks by keeping malicious users from creating symlinks and hardlinks to files that they don’t own.

More information on this topic can be found here.