Symptoms
On CloudLinux installations, shared hosting user can create hard links to any file on a node. Some automatic provisioning activities performed by Odin Automation Premium involve permission and ownership adjustments on a filesystem of a shared hosting node. By making hard link to a critical system file owned by root, malicious shared hosting user could simulate a situation when Odin Automation will transfer file's ownership to the user and effectively gain root access to node by modifying that file.
Resolution
Linux kernel starting from version 3.6 introduced fs.protected_hardlinks
and fs.protected_symlinks
kernel options, which were designed to prevent users from creating sym- and hardlinks to files they do not own. These changes have been backported to:
- CentOS 7.
- CloudLinux 6 starting from kernel
2.6.32-604.16.2.lve1.3.45
Since this feature was not backported to CloudLinux 5 kernels, these distributions will remain vulnerable. We strongly recommend our partners migrate shared hosting services based on CloudLinux 5 to CloudLinux 6.
To secure hosting nodes from attacks of this kind, the following actions are required on all CloudLinux 6 hosts:
Upgrade kernel to latest version available in Cloud Linux repository via
yum
utility:# yum update kernel
Add the following lines to /etc/sysctl.conf file:
fs.protected_symlinks_create = 1 fs.protected_hardlinks_create = 1
Apply settings executing:
# sysctl -p
For the cases where it is still needed for users to be able to create symlinks and hardlinks to files not owned by them, then:
- Create group
linksafe
on each Cloud Linux host. - Apply ownership of this group to files, symlinks of which should be allowed.
Instead of modification described on step 2, add to /etc/sysctl.conf the following lines:
fs.protected_symlinks_allow_gid = $GID fs.protected_hardlinks_allow_gid = $GID
Where $GID is group id of linksafe
group.
External reference: CageFS and Link Traversal Protection