1. cPanel & WHM Documentation
  2. EasyApache4
  3. Apache
  4. Symlink Race Condition Protection
apache ea4

Symlink Race Condition Protection

Last modified: May 2, 2023

Overview

This document explains how to implement symlink race condition protection on systems that run EasyApache 4.

WHM’s Global Configuration interface (WHM » Home » Service Configuration » Apache Configuration » Global Configuration) allows you to configure various Apache options that reside in the root (/) directory.

The FollowSymlinks option exposes Apache to a symlink security vulnerability. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict operating system-level permissions do not protect.

The SymLinksIfOwnerMatch option exposes Apache to a race condition through symlinks. This vulnerability allows a malicious user to change a symlink multiple times during the interval between when Apache checks for a file’s presence and creates the file. This action allows the malicious user to inject malicious content that links to a user-owned file.

For more information about symlink races, read Wikipedia’s Symlink race article.

Ways to address the vulnerability

KernelCare patch sets

Note:

KernelCare provides two patches that offer symlink protection for systems that run CentOS 7, Rocky Linux, or AlmaLinux kernels:

  • Extra — If you purchase and install KernelCare, you can also install the KernelCare “Extra” Patchset, which includes KernelCare Symlink Protection.

  • Free — If you do not install KernelCare, you can install KernelCare’s Free Patch Set, which includes KernelCare Free Symlink Protection. If you install the Free Patch Set and then later purchase and install KernelCare, the “Extra” Patchset will replace the Free Patch Set.

If you install either option, disable the Symlink Protection option in the Global Configuration section of WHM’s Apache Configuration interface (WHM » Home » Service Configuration » Apache Configuration).

  • We offer both of these options via WHM’s Security Advisor interface (WHM » Home » Security Center » Security Advisor).

  • Both of these options install the KernelCare Client, which automatically manages KernelCare software updates.

cagefs

We strongly recommend that you use this option to address the race condition vulnerability. We support this option on all cPanel & WHM platforms that run on CloudLinux™. If you change your cagefs configuration settings, you must run the cagefsctl --update command to implement these changes on your system.

For more information, read the CloudLinux documentation.

Warning:
If you enable cagefs on a server runs CloudLinux, you may cause a security vulnerability with symlinks to files outside of the caged directory. To solve this issue, you must enable link traversal protection. For more information, read CloudLinux’s Link traversal protection documentation.

GRSec kernel patch

The GRSec kernel patch provides a safe option to address the race condition vulnerability. This patch provides kernel-level protection against race conditions. However, to use it, you must use a custom kernel, which requires additional installation and maintenance.

For more information, read the Prevent Symlink Attack information on the grsecurity forums.

Warning:

We deprecated and removed detection for the GRSec kernel patch in cPanel & WHM version 70 and later. We strongly recommend that you use the KernelCare “Extra” Patchset from CloudLinux™. For more information, read the KernelCare documentation.

CloudLinux SecureLinks provides a safe option to address the race condition vulnerability. This option prevents symlink attacks at the kernel level. CloudLinux installs this option by default, but it does not affect virtual hosts that do not specify a user ID.

For more information, read the CloudLinux documentation.

The Bluehost patch with cPanel modifications

Important:

We recommend that you only use this patch if you cannot implement any of the other options. Malicious users could circumvent this patch.

cPanel & WHM only provides the Bluehost.com-provided patch with some modifications. We provide this patch with EasyApache 4, but it does not provide as reliable of protection as kernel or file-system level solutions. This patch can slow the performance of high-traffic servers and is not compatible with Mailman or CGI Center applications.

About the Bluehost patch

The Bluehost patch improves Apache’s ability to detect a race condition. The Bluehost patch modifies Apache and the Apache Portable Runtime (APR) library so that Apache cannot access certain files. The patch helps to ensure that the system can only access files that the domain’s owner owns. However, the Bluehost patch only affects requests for static files such as .html and image files. The Bluehost patch does not affect requests that the system processes with application content handlers such as the mod_php, mod_ruid2, mod_cgi, and mod_suphp Apache modules.

If your system does not handle requests on a per-user basis, then the system serves requests as the nobody user. When an application creates files that the nobody user owns, the file’s owner does not match the domain’s owner. Because the patch prevents access to static content that does not match the owner, the user cannot view these files.

To use the symlink protection patch, select On for the Symlink Protection option in the Global Configuration section of WHM’s Apache Configuration interface (WHM » Home » Service Configuration » Apache Configuration » Global Configuration).

Note:

This option only appears in the user interface on systems that run cPanel & WHM version 62 or higher. If you use a different version of cPanel & WHM, you must enable the patch manually.

To enable the patch manually, set the following directives: 

1
2

SymlinkProtect On|Off
SymlinkProtectRoot /var/www/html

Warning:
  • EasyApache 4 does not apply this patch by default.
  • This patch may slow the performance of high-traffic servers.
  • If you already use a custom patch for the race condition (such as the FollowSymLinks_to_OwnerMatch.patch), you must either remove your custom patch or not enable the Symlink Protection option.

Additional Documentation