Article ID: 129565, created on Oct 6, 2016, last review on Oct 13, 2016

Symptoms

On CloudLinux installations, shared hosting user can create hard links to any file on a node. Some automatic provisioning activities performed by Odin Automation Premium involve permission and ownership adjustments on a filesystem of a shared hosting node. By making hard link to a critical system file owned by root, malicious shared hosting user could simulate a situation when Odin Automation will transfer file's ownership to the user and effectively gain root access to node by modifying that file.

Resolution

Linux kernel starting from version 3.6 introduced fs.protected_hardlinks and fs.protected_symlinks kernel options, which were designed to prevent users from creating sym- and hardlinks to files they do not own. These changes have been backported to:

  1. CentOS 7.
  2. CloudLinux 6 starting from kernel 2.6.32-604.16.2.lve1.3.45

Since this feature was not backported to CloudLinux 5 kernels, these distributions will remain vulnerable. We strongly recommend our partners migrate shared hosting services based on CloudLinux 5 to CloudLinux 6.

To secure hosting nodes from attacks of this kind, the following actions are required on all CloudLinux 6 hosts:

  1. Upgrade kernel to latest version available in Cloud Linux repository via yum utility:

    # yum update kernel
    
  2. Add the following lines to /etc/sysctl.conf file:

    fs.protected_symlinks_create = 1
    fs.protected_hardlinks_create = 1
    
  3. Apply settings executing:

    # sysctl -p
    

For the cases where it is still needed for users to be able to create symlinks and hardlinks to files not owned by them, then:

  1. Create group linksafe on each Cloud Linux host.
  2. Apply ownership of this group to files, symlinks of which should be allowed.
  3. Instead of modification described on step 2, add to /etc/sysctl.conf the following lines:

    fs.protected_symlinks_allow_gid = $GID
    fs.protected_hardlinks_allow_gid = $GID
    

Where $GID is group id of linksafe group.

External reference: CageFS and Link Traversal Protection

Email subscription for changes to this article
Save as PDF