Introduction:
Symlink protections play a crucial role in preventing unauthorized access to files beyond a user's designated directories. CloudLinux servers offer various options to address such security concerns, with the most widely supported cPanel option being "SecureLinks," which comes pre-enabled.
Procedure:
To ensure effective symlink protection, confirm that the following kernel settings are enabled:
- fs.enforce_symlinksifowner = 1
- fs.process_symlinks_by_task = 1
- fs.symlinkown_gid = 99
You can verify these settings using "sysctl" commands:
sysctl fs.enforce_symlinksifowner
sysctl fs.process_symlinks_by_task
sysctl fs.symlinkown_gid
To check all three settings at once, use:
sysctl -a | grep -E 'enforce_symlinksifowner|process_symlinks_by_task|symlinkown_gid'
Ensure the output matches the following:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
If these values are not set, you can configure them by following these steps:
1. Edit the file /etc/sysctl.d/90-cloudlinux.conf using a text editor such as vi, vim, or nano.
2. If the symlink protection options are not already defined, add the following lines. If they are defined, update them to the specified values:
fs.enforce_symlinksifowner = 1
fs.process_symlinks_by_task = 1
fs.symlinkown_gid = 99
3. Reload sysctl to apply the changes:
sysctl --system
Note: CloudLinux typically defines these protections by default. If the values are already set, no additional action is required.
