Symlink protection with EA4
Is there an equivalent of the bluehost patch, or another cross-account symlink protection, in EA4 for non-cloudlinux servers?
(Edit)
So this is interesting, if I try to symlink cross-account, it won't serve unless I chown the target file to the same owner as the link. It returns a 403 otherwise. However, I'm not seeing WHY it denies it, even with loglevel debug or trace6. It seems almost as if there's protection built in but I cannot figure out how or where. Any insight would be appreciated.
-
So I was working with quizknows on this in person, and found that the behavior noted in his edit is due to "SymLinkIfOwnerMatch" being set in the httpd.conf. If I comment out that option, SymLinks are followed without issue. 0 -
So I was working with quizknows on this in person, and found that the behavior noted in his edit is due to "SymLinkIfOwnerMatch" being set in the httpd.conf. If I comment out that option, SymLinks are followed without issue.
Hello :) Thank you for updating this thread with the outcome. Could you verify if this addresses the question? Thank you.0 -
Michael, No, it doesn't address the question. We are simply confirming that it is currently possible to exploit cross-account symlinks in EA4 and are unaware of a solution outside of cloudlinux/cagefs (such as the bluehost patch currently in EA). 0 -
There's no update to report on these options in EasyApache 4 at this time. The "SymLinkIfOwnerMatch" option is enabled by default in: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you. 0 -
An update to this question is found on the following thread: EasyApache4 symlink race protection Thank you. 0
Please sign in to leave a comment.
Comments
5 comments