Followsymlinks and SymlinksIfOwnerMatch for single user

durangod

• January 04, 2017 09:18

So as i understand this, and i hope i am correct. If i am the only user on the server then regardless of how i have these configured, both on, both off, one on, one off. It really does not matter other than for script execution needs. What i mean is that right now i have them both enabled, i also have mod_ruid2 and jailshell enabled. However i still get the warning from the security advisor that i do not have protection from this exploit. I have updated my kernel and rebooted the server. ---------------------- Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection. ------------------------ However in the documentation it tells me that one option is to use EXPERIMENTAL mod_ruid2 with jailshell. So i really should not be getting that notice at all. However to my original topic here, since i am the only user then it really does not matter, is that correct?

• 

  cPanelMichael

  • January 09, 2017 18:13

  Hello, The updated symlink protection document for EasyApache 4 is available at: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Per this document: If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict operating system-level permissions do not protect.
  A kernel-level solution, such as the cPanel-hardened kernel, is recommended even if you are the only user on the system. It adds an additional level of protection in the event access to your account is obtained through an exploit in a script that's utilized by your website. Thank you.

  0
• 

  durangod

  • January 15, 2017 06:52

  OK thanks, not sure that i really understand your answer, but thanks for the reply.

  0
• 

  cPanelMichael

  • January 23, 2017 17:06

  Hello, I'm happy to help answer any additional questions you might have. Would you mind providing some additional details or an example of a scenario that concerns you? Thank you.

  0

Please sign in to leave a comment.