Symlink Race Condition Protection
Last modified: August 28, 2019
This document explains how to implement symlink race condition protection on systems that run EasyApache 4.
The symlink race condition vulnerability
Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration) allows you to configure various Apache options that reside in the root (
The FollowSymlinks option exposes Apache to a symlink security vulnerability. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict operating system-level permissions do not protect.
The SymLinksIfOwnerMatch option exposes Apache to a race condition through symlinks. This vulnerability allows a malicious user to change a symlink multiple times during the interval between when Apache checks for a file’s presence and creates the file. This action allows the malicious user to inject malicious content that links to a user-owned file.
For more information about symlink races, read Wikipedia’s Symlink race article.
Ways to address the vulnerability
KernelCare patch sets
- We only offer these options for systems that run on standard CentOS 6 and CentOS 7 kernels.
- For more information about KernelCare and its symlink protection options, read the KernelCare documentation.
KernelCare provides two patches that offer symlink protection for systems that run CentOS 6 and CentOS 7:
Extra — If you purchase and install KernelCare, you can also install the KernelCare “Extra” Patchset, which includes KernelCare Symlink Protection.
Free — If you do not install KernelCare, you can install KernelCare’s Free Patch Set, which includes KernelCare Free Symlink Protection. If you install the Free Patch Set and then later purchase and install KernelCare, the “Extra” Patchset will replace the Free Patch Set.
If you install either option, disable the Symlink Protection option in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration).
- We offer both of these options via WHM’s Security Advisor interface (WHM >> Home >> Security Center >> Security Advisor).
- Both of these options install the KernelCare Client, which automatically manages KernelCare software updates.
We strongly recommend that you use this option to address the race condition vulnerability. We support this option on all cPanel & WHM platforms that run on CloudLinux™. If you change your
cagefs configuration settings, you must run the
cagefsctl --update command to implement these changes on your system.
For more information, read the CloudLinux documentation.
cPanel & WHM provides a hardened kernel update as a safe option to address the race condition vulnerability. We only support this option on CentOS 6 64-bit systems. You cannot use this option with container-based systems.
For more information, read the How to Harden Your cPanel System’s Kernel documentation.
We deprecated the cPanel-provided hardened-kernel update in cPanel & WHM version 68, and we no longer offer it in cPanel & WHM version 70 and later. We strongly recommend that you manually remove the hardened kernel and consider KernelCare’s symlink protection options. For more information about KernelCare, read the KernelCare documentation.
GRSec kernel patch
The GRSec kernel patch provides a safe option to address the race condition vulnerability. This patch provides kernel-level protection against race conditions. However, to use it, you must use a custom kernel, which requires additional installation and maintenance.
CloudLinux SecureLinks provides a safe option to address the race condition vulnerability. This option prevents symlink attacks at the kernel level. CloudLinux installs this option by default, but it does not affect virtual hosts that do not specify a user ID.
For more information, read the CloudLinux documentation.
The Bluehost patch with cPanel modifications
We recommend that you only use this patch if you cannot implement any of the other options. Malicious users could circumvent this patch.
cPanel & WHM only provides the Bluehost.com-provided patch with some modifications. We provide this patch with EasyApache 4, but it does not provide as reliable of protection as kernel or file-system level solutions. This patch can slow the performance of high-traffic servers and is not compatible with Mailman or CGI Center applications.
About the Bluehost patch
The Bluehost patch improves Apache’s ability to detect a race condition. The Bluehost patch modifies Apache and the Apache Portable Runtime (APR) library so that Apache cannot access certain files. The patch helps to ensure that the system can only access files that the domain’s owner owns. However, the Bluehost patch only affects requests for static files such as
.html and image files. The Bluehost patch does not affect requests that the system processes with application content handlers such as the
mod_suphp Apache modules.
If your system does not handle requests on a per-user basis, then the system serves requests as the
nobody user. When an application creates files that the
nobody user owns, the file’s owner does not match the domain’s owner. Because the patch prevents access to static content that does not match the owner, the user cannot view these files.
Enable the symlink race condition patch with EasyApache 4
To use the symlink protection patch, select On for the Symlink Protection option in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).
This option only appears in the user interface on systems that run cPanel & WHM version 62 or higher. If you use a different version of cPanel & WHM, you must enable the patch manually.
To enable the patch manually, set the following directives:
- EasyApache 4 does not apply this patch by default.
- This patch may slow the performance of high-traffic servers.
- If you already use a custom patch for the race condition (such as the
FollowSymLinks_to_OwnerMatch.patch), you must either remove your custom patch or not enable the Symlink Protection option.