Child pages
  • Symlink Race Condition Protection
Skip to end of metadata
Go to start of metadata

Warning:

Currently, we no longer develop EasyApache 3 and only release security updates. We have tentatively scheduled EasyApache 3 for deprecation at some point in 2018. You will receive at least three months notification prior to official deprecation. After that time, EasyApache 3 will no longer receive any updates. For more information, read our cPanel Long-Term Support documentation.

We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation. 

Overview

This document explains several options that you can use to implement symlink race condition protection. 

Symlink race condition vulnerability

If you enable the SymRelated documentationIfOwnerMatch and FollowSymRelated documentation configuration settings, Apache becomes vulnerable to a race condition through symRelated documentation. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect.

Summary of current options to address this issue

Filesystem-level solutions (best choices):

mod_ruid + jailshell: RECOMMENDED

Related documentation

Tweak Settings - Security

Advantages

To enable this option, run EasyApache and then enable EXPERIMENTAL: Jailshell Virtual Hosts using mod_ruid2 and cPanel jailshell in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings)

Important:

This option is not available if you compile Apache with the MPM ITK module. You cannot use jailed shells with Apache's MPM ITK module.

Disadvantages

Does not scale well on CentOS version 5 and Red Hat® Enterprise Linux® version 5 (best with fewer than 256 users).

cagefs: RECOMMENDED

Related documentation

CloudLinux documentation

Advantages

CloudLinux™ and all other cPanel-supported platforms include this option.

Disadvantages
  • Requires CloudLinux
  • Requires that you run the command cagefsctl --update after you make changes.

Kernel + Apache solutions (good choices):

GRSec kernel patch 

Related documentation

grsecurity forums - Prevent Symlink Attack

Advantages

This option provides kernel-level protection.

Disadvantages
  • Requires a custom kernel.
  • Additional installation and maintenance burden.
Related documentation
Advantages

If you currently use CloudLinux, this option is already installed.

Disadvantages
  • The directive will not affect VirtualHosts that do not possess a specified user ID.
  • The directive does not function on a OpenVZ virtual private server (VPS). 

Apache-level patches (last resort choices):

Warning:

We do not recommend the following options, because experienced malicious users can circumvent them. Only use one of these options as a last resort if you cannot implement any of the above options.

Bluehost.com-provided patch (available via EasyApache):

Related documentation

Bluehost.com

Advantages

You can install this option via EasyApache.

Disadvantages
  • This patch does not provide the same protection level as a kernel-level or a filesystem-level solution.
  • This patch may slow the performance of high-traffic servers.
  • Incompatible with Mailman.
  • Incompatible with CGI Center apps.

Rack911-provided patch

Related documentation

cPanel Forums Post

Advantages

This option runs more effieciently than the patch that EasyApache provides.

Disadvantages

This patch does not provide the protection level of a kernel-level or filesystem-level solution.

How to apply the symlink race condition patch available via EasyApache.

To help solve this issue, cPanel & WHM offers the option to apply a third-party patch (Bluehost.com) to Apache 2.X that will prevent the race condition.

To apply the patch, select Symlink Race Condition Protection  from the Exhaustive Options List stage of WHM's EasyApache interface (Home >> Software >> EasyApache (Apache Update)).

Warning:

  • By default, EasyApache does not apply this patch.
  • This patch may slow the performance of high-traffic servers.
  • If you already use a custom patch for the race condition (for example:  FollowSymRelated documentation_to_OwnerMatch.patch ), you must either remove your custom patch or not enable EasyApache's Symlink Race Condition Protection  option.

Additional Documentation