How important is symlink protection?

enginestar

• July 12, 2017 15:41

My new hosting company took over my old hosting company. Tech support have told me that I don't have symlink protection. They said it was never enabled with my previous hosting company. To enable, there are complications and I would have to pay extra to have as the current 'experimental' patch or upgrade can't be applied to one of my servers I have. Do I really need? Thanks.

• 

  cPanelMichael

  • July 12, 2017 20:44

  Hello, I recommend enabling some level of symlink race condition protection. We document the available options for symlink protection at the following URL: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation Could you verify if any of these options are available on your system? Thank you.

  0
• 

  enginestar

  • July 12, 2017 21:24

  thanks for the reply i spoke with tech support again the guy who i spoke to had another look and said he managed to turn it on so all is good. i looked at the link u gave it's still not clear to me the exact dangers of NOT having it turned on please do explain - happy to get educated

  0
• 

  cPanelMichael

  • July 12, 2017 21:29

  it's still not clear to me the exact dangers of NOT having it turned on please do explain - happy to get educated

  
  Hi @enginestar, Here's a quote from the grsecurity forums that provides some background information about the attack mechanism: + Apache's SymlinksIfOwnerMatch option has an inherent race condition + that prevents it from being used as a security feature. As Apache + verifies the symlink by performing a stat() against the target of + the symlink before it is followed, an attacker can setup a symlink + to point to a same-owned file, then replace the symlink with one + that targets another user's file just after Apache "validates" the + symlink -- a classic TOCTOU race.
  Thanks.

  0
• 

  quizknows

  • July 13, 2017 19:22

  Basically if you don't have symlink protection, in most cases, one hacked site will result in every other CMS on the server being hacked since apache can read the config files. If is literally critical if you host more than a couple of sites.

  0
• 

  sparek-3

  • July 13, 2017 19:57

  Unless each account applies proper permissions and doesn't leave script config files with world readable permissions. World readable permissions on PHP files is really not necessary any longer, unless you are running PHP as DSO.

  0
• 

  quizknows

  • July 14, 2017 15:49

  Unless each account applies proper permissions and doesn't leave script config files with world readable permissions. World readable permissions on PHP files is really not necessary any longer, unless you are running PHP as DSO.

  
  You are right, but trusting users to use secure file permissions is the last thing I'll rely on :'D

  0

Please sign in to leave a comment.