How to Prevent Creating Symbolic Links for non root users


Taken from WHT post:

I hate cpanels stance on this so we have created a patch and have been using for some time. It turns FollowSymLinks into SymLinksIfOwnerMatch at the apache source code level.





We currently are working on rewriting the patch, and part of apache to take care of some possible race conditions. But given the rare race condition possibility, this is by far a better option than causing everyone to have to reconfigure their .htaccess files or allowing your server to be wide open to attack.

How to install our patch (apache 2.2 only):

wget -O /scripts/before_apache_make 
chmod 700 /scripts/before_apache_make
#Rebuild apache after. 

If you have any issues, let us know, we would be interested in hearing it.
If you want to thank us, your free to do that aswell.

When trying to access a file located in another account via a symlink, you will see this in the error log:

[Sun Nov 06 05:06:23 2011] [error] [client xxxxxx] Symbolic link not allowed or link target not accessible: /home/xxxxx/public_html/1/confirm.txt
Also, find out if your already a victim:

find /home*/*/public_html -type l

How to remove?:

rm -f /scripts/before_apache_make
#Rebuild apache after. 


Posted on: 05/03/2013

If you want to leave a comment please Login or Register