Skip to main content

Disable Symlink per account, it's possible?

Comments

3 comments

  • cPanelMichael
    Hello :) Per our documentation: If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect. Thus, it's not really advised to allow it on any account. The following document should be helpful: Symlink Race Condition Protection I suggest using one of the patches labeled "RECOMMENDED" and then checking to see if the issue persists. Thank you.
    0
  • ITGabs
    The "RECOMMENDED" options are just two mod_ruid + jailshell -> not compatible with mod_fcgid cagefs -> not possible in centos I understand how symlink race condition works and I know how to test if a server is vulnerable, What I don't know is what these options do to the configuration of Easy Apache In the "Exhaustive Options List" Under "first-section Apache Built-in Modules" [ ] Fileprotect Prevent Users from reading other webroots [ ] Symlink Race Condition Protection
    And under PHP 5.5.17 (Be sure to "harden" your PHP since PHP has many security issues) [ ] Safe PHP CGI prevents users from overriding system php.ini
    In the last build I just checked the "Symlink Race Condition Protection" and I have no idea what patch was used the same with the other options that are quite important to add more security. What I am doing to add security are a set of permissions (that probably only will work with php running with mod_fcgid), php.ini per user with disable functions and basedir restrictions and some other restrictions in the vhost configuration of apache. and no ssh of course Maybe if you can answer about that three options I can find the way to disable or enable that patches by account. Thanks!
    0
  • ITGabs
    I found the info in the same page "Symlink Race Condition Protection" = Bluehost.com-provided patch
    0

Please sign in to leave a comment.