On CloudLinux installations, shared hosting user can create hard links to any file on a node. Some automatic provisioning activities performed by Odin Automation Premium involve permission and ownership adjustments on a filesystem of a shared hosting node. By making hard link to a critical system file owned by root, malicious shared hosting user could simulate a situation when Odin Automation will transfer file's ownership to the user and effectively gain root access to node by modifying that file.
Linux kernel starting from version 3.6 introduced
fs.protected_symlinks kernel options, which were designed to prevent users from creating sym- and hardlinks to files they do not own. These changes have been backported to:
- CentOS 7.
- CloudLinux 6 starting from kernel
Since this feature was not backported to CloudLinux 5 kernels, these distributions will remain vulnerable. We strongly recommend our partners migrate shared hosting services based on CloudLinux 5 to CloudLinux 6.
To secure hosting nodes from attacks of this kind, the following actions are required on all CloudLinux 6 hosts:
Upgrade kernel to latest version available in Cloud Linux repository via
# yum update kernel
Add the following lines to /etc/sysctl.conf file:
fs.protected_symlinks_create = 1 fs.protected_hardlinks_create = 1
Apply settings executing:
# sysctl -p
For the cases where it is still needed for users to be able to create symlinks and hardlinks to files not owned by them, then:
- Create group
linksafeon each Cloud Linux host.
- Apply ownership of this group to files, symlinks of which should be allowed.
Instead of modification described on step 2, add to /etc/sysctl.conf the following lines:
fs.protected_symlinks_allow_gid = $GID fs.protected_hardlinks_allow_gid = $GID
Where $GID is group id of
External reference: CageFS and Link Traversal Protection