Symbolic Links with CloudLinux

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » System Level » CloudLinux

Symbolic Links with CloudLinuxLast Modified: Jul 4, 2017, 2:23 pm
CloudLinux has some powerful tools to help reduce symlink attacks.
For the most part, we don't really need them, as DA uses the "secure_access_group" method on /home/user folders, and apache itself is patched with the "harden symlinks" patch (internally swaps FollowSymlinks into SymLinksIfOwnerMatch).

Sometimes issues can arise from this extra layer of security (see some common errors, below).

If you need to disable the checks (temporariy or permananetly):
  1. Edit /etc/sysctl.conf and set:

    fs.enforce_symlinksifowner = 0
    fs.protected_symlinks_create = 0

  2. Then set them to the system, without needing a reboot:

    sysctl -p

  3. Confirm they're set:

    sysctl -a | grep -E 'fs.enforce_symlinksifowner|fs.protected_symlinks_create'

Known Errors

  1. Unable to extract the directory 'backup' from the file /home/admin/admin_backups/user.admin.username.tar.gz as user username
    File '/home/admin/admin_backups/user.admin.username.tar.gz' was 1234567 bytes in size, as read by root.

    In this case, it was found there were symbolic links in the backup, which could not be extracted because they were pointing to root-owned files.  Note, this error could be cause by other things, like file corruption, but this is one possibility.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST