Skip to main content

cPKernel Symlink Protection

anton_latvia
We have installed latest kernel provided by cPanel on our development server, but as far as I can see - simulated symlink through .htaccess still works just fine. :-(

Comments

9 comments

Date Votes
  • ThinIce
    Anton, looking at the patch
    0
  • anton_latvia
    ok.. I haven't set anything in sysctl. Which values should be set there? could you please share for the benefit of others? :)
    0
  • cPanelMichael
    We have installed latest kernel provided by cPanel on our development server, but as far as I can see - simulated symlink through .htaccess still works just fine. :-(

    Hello, Could you also let us know the specific steps you are taking to reproduce the issue? Thanks.
    0
  • anton_latvia
    Sure. Our test server runs Centos6, WHM-EDGE version (development license), EasyApache 4 (mod_itk, mod_fcgi). I have added cPanel kernel repository and installed kernel from there. rebooted. then I created folder on inside test account and put small .htaccess file in there
    Options all DirectoryIndex Sux.html AddType textplain .php AddType textplain .conf AddType textplain .sql AddType textplain .log AddHandler server-parsed .php AddHandler txt .html
    and created symlink to root catalong
    ln -s / root
    when browsing our test-domain/subfolder/root/ - I get list of folder from our root and can browser other subfolders and view files. Even if I disable "Option Indexes" in Apache configuration - this still works fine and it is possible to browse quite a lot of folders. The only workaround we have found so far, which is actually working is to add the following rules to global pre-virtual host include file:
    Options ExecCGI IncludesNOEXEC SymLinksIfOwnerMatch AllowOverride AuthConfig FileInfo Limit Indexes
    This will give "500 Internal server error" status, but not due to security or patch - this override does not allow Option-overriding through .htaccess files. Basically this gives a little headache to customers, since they can't have "Options ....." in any of their .htaccess files and we have to override various stuff manually through custom includes. But we consider that this is better, than letting hackers browse through our files and folders. I was just hoping, that kernel patch would detect and fix it somehow... :) P.S. there's a new kernel for Centos and yum will catch up kernel from Centos, rather than from cPanel repo. P.S.: I wonder if some extra configuration is needed for cPanel kernel to do the job? and I wonder what exactly it will do... :)
    0
  • cPanelMichael
    ok.. I haven't set anything in sysctl. Which values should be set there? could you please share for the benefit of others? :)

    Hello, Thank you for taking the time to provide us with the additional information. Could you also post the output from some additional commands?
    uname -r sysctl -a |grep symlink id nobody /usr/local/cpanel/bin/rebuild_phpconf --current sysctl -p
    The "fs.symlinkown_gid" value should match the GID associated with the nobody user on the system (99 by default on cPanel servers). With "fs.enforce_symlinksifowner" set to 1, and "fs.symlinkown_gid" set to 99, attempts by cPanel users to follow symbolic links should fail if they are owned by that cPanel user, but point to a file owned by another cPanel user. Thank you.
    0
  • anton_latvia

    [root@dev ~]# uname -r 2.6.32-642.6.199.cpanel6.x86_64 [root@dev ~]# sysctl -a | grep symlink fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 [root@dev ~]# id nobody uid=99(nobody) gid=99(nobody) groups=99(nobody) [root@dev ~]# /usr/local/cpanel/bin/rebuild_phpconf --current DEFAULT PHP: ea-php56 ea-php54 SAPI: cgi ea-php55 SAPI: cgi ea-php56 SAPI: cgi ea-php70 SAPI: cgi [root@dev ~]# sysctl -p net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 fs.symlinkown_gid = 99
    0
  • cPanelMichael
    and created symlink to root catalong
    ln -s / root
    when browsing our test-domain/subfolder/root/ - I get list of folder from our root and can browser other subfolders and view files.

    Hello, I've not been able to reproduce this behavior when creating this symbolic link while logged in as the account username. Are you creating this symbolic link via SSH as the individual account username or as the "root" user? Thank you.
    0
  • anton_latvia
    yes, i created symlink as "root".. i guess that explains it?
    0
  • cPanelMichael
    yes, i created symlink as "root".. i guess that explains it?

    Yes, for instance, if fs.enforce_symlinksifowner is set to 1, and fs.symlinkown_gid is set to 99, then processes with GID 99 (Apache) will not be able to follow symlinks if they are owned by user1, but point to file owned user2. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post