Introduction
Symlink protections prevent unauthorized access to files outside of a user's standard directories for accessing files. CloudLinux servers have many options to address a concern of this nature. However, the most common and fully supported cPanel option is "SecureLinks," which is enabled by default.
Procedure
- Ensure the following kernel settings are enabled:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
- This can be confirmed with "sysctl" commands, for example:
sysctl fs.enforce_symlinksifowner
sysctl fs.process_symlinks_by_task
sysctl fs.symlinkown_gid
- Checking all three can be performed as such:
sysctl -a |grep -E 'enforce_symlinksifowner|process_symlinks_by_task|symlinkown_gid'
- Look for the following output:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
If these options are not set to these values, you can set them with the following steps:
- Edit file /etc/sysctl.d/90-cloudlinux.conf with a text edit like vi, vim, or nano
- Set the symlink protection options if not already defined in the output as illustrated above. If already defined, change to the below values instead.
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
Reload sysctl
sysctl --system
Note: CloudLinux defines the protections by default. If they are already set, you don't need to take any additional action. You can find additional details in the below CloudLinux documentation page.
Comments
0 comments
Article is closed for comments.