Harden CloudLinux – Symlink protection

CloudLinux has some handy settings to protect against symlink race conditions. Run the following commands to insert the necessary protections in /etc/sysctl.conf:

sed -zi '/fs\.enforce_symlinksifowner/!s/$/\nfs\.enforce_symlinksifowner=1/' /etc/sysctl.conf

sed -zi '/fs\.protected_symlinks_create/!s/$/\nfs\.protected_symlinks_create=1/' /etc/sysctl.conf

sed -zi '/fs\.protected_hardlinks_create/!s/$/\nfs\.protected_hardlinks_create=1/' /etc/sysctl.conf

sed -zi '/fs\.process_symlinks_by_task/!s/$/\nfs\.process_symlinks_by_task=1/' /etc/sysctl.conf

If you’re running cPanel, you can add the following additional command which will ensure that Apache will deny the following of symlinks to users other than the current user. This will prevent user1 from creating a symlink to user2:

sed -zi '/fs\.symlinkown_gid/!s/$/\nfs\.symlinkown_gid=99/' /etc/sysctl.conf