Skip to main content

Symlink protection with EA4

Comments

5 comments

  • tfmm
    So I was working with quizknows on this in person, and found that the behavior noted in his edit is due to "SymLinkIfOwnerMatch" being set in the httpd.conf. If I comment out that option, SymLinks are followed without issue.
    0
  • cPanelMichael
    So I was working with quizknows on this in person, and found that the behavior noted in his edit is due to "SymLinkIfOwnerMatch" being set in the httpd.conf. If I comment out that option, SymLinks are followed without issue.

    Hello :) Thank you for updating this thread with the outcome. Could you verify if this addresses the question? Thank you.
    0
  • quizknows
    Michael, No, it doesn't address the question. We are simply confirming that it is currently possible to exploit cross-account symlinks in EA4 and are unaware of a solution outside of cloudlinux/cagefs (such as the bluehost patch currently in EA).
    0
  • cPanelMichael
    There's no update to report on these options in EasyApache 4 at this time. The "SymLinkIfOwnerMatch" option is enabled by default in: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you.
    0
  • cPanelMichael
    An update to this question is found on the following thread: EasyApache4 symlink race protection Thank you.
    0

Please sign in to leave a comment.