The symlink is also known as a soft-link or symbolic link. It is a file that links to another file or directory. By using a symlink, you can link any files and directory to any other computer. It is the symbolic path indicating the ideal location of another file. The inode number of both the files points to a new inode number. It contains a text string that interprets and follows by the Operating System as a path to the other file and directory automatically. The other file or directory is known as the ‘target’. The symlink is the second file of its target, which exists independently. If a symlink gets deleted, then the target is not affected. If the target file is updated or removed, then the symlink does not get updated or deleted. The symbolic link pointing to a non-existing target or a modified file is sometimes known as broken, orphaned, dead, or dangling. In this knowledgebase, you learn about the symlink and how to install the free symlink protection patchset on your CentOS server.
Create a Symlink in CentOS.
The symlink can be created for a file or directory in Community Enterprise Operating System (CentOS) using the below command:
$ ln -s [/path/to/file] [/path/to/symlink]
For example:
$ ln -s /user/abc/Downloads/xyz.pdf /user/abc/Documents
In this above example, the xyz.pdf file gets linked to the Documents folder.
Symlink Attack:
The symlink attack is one of the most common and new methods of exploitation. In this attack, the attackers get full root access to your server from a compromised website. The Symlink attackers exploit your websites by creating a ‘shortcut’ folder from the web server user directory to the web server’s root directory. The organizations that host their websites are also vulnerable to these attacks by unauthorized access to the user accounts. Another type of symlink attack is in which the attackers edit the ‘php.ini’ files to execute symlink function. So, if we disable access to these files, we can prevent this type of attack. These attacks are commonly seen against shared hosting accounts as they share the same hard disk space. These attackers can take over one shared hosting account to another account on the same server by launching a symlink attack. By this process, the attackers often access the configuration files like ‘config.php’ that belong to others.
The customers of the shared server get limited FTP access to make sure that the end-users can only see contents in their home directory. But some attackers create a soft-link for the sub-directory within the domain to the root (/) directory. By this process, the attackers can view the entire server contents by merely running a PHP command. So, it is always essential to protect your server from these symlink attacks.
Symlink Protection Patchset
The symlink protection patchset is free of cost for CentOS 6 and 7, even if you don’t have licenses of KernelCare. This patchset protects CentOS 6 and 7 systems. The symlink protection patchset mainly protects the shared hosting servers, including the cPanel servers against the symlink attacks.
The symlink protection patchset provides only symlink protection and not any security fixes. But one needs to update and reboot kernel each time a new CentOS kernel is released to keep the kernel secure. We suggest you install this patchset for kernelcare running on CentOS 6 and CentOS 7. It is also suggested to install ‘Imunify360’ for CentOS 6. The CloudLinux OS compiles with this patch in the kernel.
Install the Free Symlink Protection Patchset
1) First, you need to install a ‘KernelCare client’, and it does not mean that you need to purchase a license or even register for the KernelCare free trial.
$ curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
2) Enable the free patch type. Note that this ‘free’ patch gets applied to the next update.
$ kcarectl –set-patch-type free –update
3) During this installation process, you can see something as similar to the output shown below by running ‘kcarectl –patch-info’ in the terminal:
$ kcarectl –patch-info
Result:
4) Edit the ‘/etc/sysconfig/kcare/sysctl.conf’ file. If it doesn’t exist, then create the file. Then, add the below lines:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
5) Then, execute the following two comments.
$ sysctl -w fs.enforce_symlinksifowner=1
$ sysctl -w fs.symlinkown_gid=48
Note: Apache is usually running under GID 48 on standard RPM Apache installation. Whereas on cPanel servers, the Apache is running under user nobody, GID 99.
The attackers trick Apache webserver into reading some other user PHP configuration or any other sensitive files. If we enable the ‘fs.enforce_symlinksifowner=1’ option, it denies any process running under gid fs.symlinkown_gid to follow the symlink if the owner of the link does not match the owner of the target file.