Symptoms
On CloudLinux installations, shared hosting user can create hard links to any file on a node. Some automatic provisioning activities performed by Odin Automation Premium involve permission and ownership adjustments on a filesystem of a shared hosting node. By making hard link to a critical system file owned by root, malicious shared hosting user could simulate a situation when Odin Automation will transfer file's ownership to the user and effectively gain root access to node by modifying that file.
Resolution
Linux kernel starting from version 3.6 introduced fs.protected_hardlinks and fs.protected_symlinks kernel options, which were designed to prevent users from creating sym- and hardlinks to files they do not own. These changes have been backported to:
- CentOS 7.
- CloudLinux 6 starting from kernel
2.6.32-604.16.2.lve1.3.45
Since this feature was not backported to CloudLinux 5 kernels, these distributions will remain vulnerable. We strongly recommend our partners migrate shared hosting services based on CloudLinux 5 to CloudLinux 6.
To secure hosting nodes from attacks of this kind, the following actions are required on all CloudLinux 6 hosts:
Upgrade kernel to latest version available in Cloud Linux repository via
yumutility:# yum update kernelAdd the following lines to /etc/sysctl.conf file:
fs.protected_symlinks_create = 1 fs.protected_hardlinks_create = 1Apply settings executing:
# sysctl -p
For the cases where it is still needed for users to be able to create symlinks and hardlinks to files not owned by them, then:
- Create group
linksafeon each Cloud Linux host. - Apply ownership of this group to files, symlinks of which should be allowed.
Instead of modification described on step 2, add to /etc/sysctl.conf the following lines:
fs.protected_symlinks_allow_gid = $GID fs.protected_hardlinks_allow_gid = $GID
Where $GID is group id of linksafe group.
External reference: CageFS and Link Traversal Protection