Introduction
Symlink protections prevent unauthorized access to files outside of a user's standard directories for accessing files. CloudLinux servers have many options to address a concern of this nature. However, the most common and fully supported cPanel option is "SecureLinks," which is enabled by default.
Procedure
- Ensure the following kernel settings are enabled:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
- This can be confirmed with "sysctl" commands, for example:
sysctl fs.enforce_symlinksifowner
sysctl fs.process_symlinks_by_task
sysctl fs.symlinkown_gid
- Checking all three can be performed as such:
sysctl -a |grep -E 'enforce_symlinksifowner|process_symlinks_by_task|symlinkown_gid'
- Look for the following output:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
If these options are not set to these values, you can set them with the following steps:
- Edit file /etc/sysctl.d/90-cloudlinux.conf with a text edit like vi, vim, or nano
- Set the symlink protection options if not already defined in the output as illustrated above. If already defined, change to the below values instead.
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
Reload sysctl
sysctl --system
Note: CloudLinux defines the protections by default. If they are already set, you don't need to take any additional action. You can find additional details in the below CloudLinux documentation page.