How To Protect Hard and Symbolic Links in CentOS/RHEL 7

In Linux, hard and soft links are referenced to files, which are very important, if not protected very well, any vulnerabilities in them can be exploited by malicious system users or attackers.

A common vulnerability is the symlink race. It is a security vulnerability in software, that comes about when a program insecurely creates files (especially temporary files), and a malicious system user can create a symbolic (soft) link to such a file.

Read Also: How to Create Hard and Symbolic Link in Linux

This is practically happens; a program checks if a temp file exists or not, in case it doesn’t, it creates the file. But in that short period of time between checking the file and creating it, an attacker can possibly create a symbolic link to a file and he or she is not permitted to access.


So when the program runs with valid privileges creates the file with the same name as the one created by the attacker, it literally creates the target (linked-to) file the attacker was intending to access. This, hence, could give the attacker a path way to steal sensitive information from the root account or execute a malicious program on the system.

Therefore, in this article, we will show you how to secure hard and symbolic links from malicious users or hackers in CentOS/RHEL 7 distributions.

On CentOS/RHEL 7 exists a vital security feature which only permits links to be created or followed by programs only if some conditions are satisfied as described below.

For Hard Links

For a system user to create a link, one of the following conditions has to be fulfilled.

  • the user can only link to files that he or she owns.
  • the user must first have read and write access to a file, that he or she wants to link to.

For Symbolic Links

Processes are only allowed to follow links that are outside of world-writable (other users are allowed to write to) directories that have sticky bits, or one of the following has to be true.

  • the process following the symbolic link is the owner of the symbolic link.
  • the owner of the directory is also the owner of the symbolic link.

Enable or Disable Protection on Hard and Symbolic Links

Importantly, by default, this feature is enabled using the kernel parameters in the file /usr/lib/sysctl.d/50-default.conf (value of 1 means enable).

fs.protected_hardlinks = 1
fs.protected_symlinks = 1

However, for one reason or the other, if you want to disable this security feature; create a file called /etc/sysctl.d/51-no-protect-links.conf with these kernel options below (value of 0 means disable).

Take note of that 51 in the filename (51-no-protect-links.conf), it has to be read after the default file to override the default settings.

fs.protected_hardlinks = 0
fs.protected_symlinks = 0

Save and close the file. Then use the the command below to effect the above changes (this command actually loads settings from each and every system configuration file).

# sysctl --system
OR
# sysctl -p #on older systems

You might also like to read these following articles.

  1. How to Password Protect a Vim File in Linux
  2. 5 ‘chattr’ Commands to Make Important Files IMMUTABLE (Unchangeable) in Linux

That’s all! You can post your queries or share any thoughts relating to this topic via the feedback form below.

TMOUT – Auto Logout Linux Shell When There Isn’t Any Activity

‘,
enableHover: false,
enableTracking: true,
buttons: { twitter: {via: ‘tecmint’}},
click: function(api, options){
api.simulateClick();
api.openPopup(‘twitter’);
}
});
jQuery(‘#facebook’).sharrre({
share: {
facebook: true
},
template: ‘{total}’,
enableHover: false,
enableTracking: true,
click: function(api, options){
api.simulateClick();
api.openPopup(‘facebook’);
}
});
jQuery(‘#googleplus’).sharrre({
share: {
googlePlus: true
},
template: ‘{total}’,
enableHover: false,
enableTracking: true,
urlCurl: ‘https://www.tecmint.com/wp-content/themes/tecmint/js/sharrre.php’,
click: function(api, options){
api.simulateClick();
api.openPopup(‘googlePlus’);
}
});
jQuery(‘#linkedin’).sharrre({
share: {
linkedin: true
},
template: ‘{total}’,
enableHover: false,
enableTracking: true,
buttons: {
linkedin: {
description: ‘TMOUT – Auto Logout Linux Shell When There Isn’t Any Activity’,media: ‘https://www.tecmint.com/wp-content/uploads/2017/10/Tmout-Auto-Logout-Linux-Shell.png’ }
},
click: function(api, options){
api.simulateClick();
api.openPopup(‘linkedin’);
}
});
// Scrollable sharrre bar, contributed by Erik Frye. Awesome!
var shareContainer = jQuery(“.sharrre-container”),
header = jQuery(‘#header’),
postEntry = jQuery(‘.entry’),
$window = jQuery(window),
distanceFromTop = 20,
startSharePosition = shareContainer.offset(),
contentBottom = postEntry.offset().top + postEntry.outerHeight(),
topOfTemplate = header.offset().top;
getTopSpacing();
shareScroll = function(){
if($window.width() > 719){ var scrollTop = $window.scrollTop() + topOfTemplate,
stopLocation = contentBottom – (shareContainer.outerHeight() + topSpacing);
if(scrollTop > stopLocation){
shareContainer.offset({top: contentBottom – shareContainer.outerHeight(),left: startSharePosition.left});
}
else if(scrollTop >= postEntry.offset().top-topSpacing){
shareContainer.offset({top: scrollTop + topSpacing, left: startSharePosition.left});
}else if(scrollTop 1024)
topSpacing = distanceFromTop + jQuery(‘.nav-wrap’).outerHeight();
else
topSpacing = distanceFromTop;
}
});
]]>

How to check and stop if DDoS attack is going on.

Distributed denial-of-service attacks
In a distributed attack, the attacking computers are often personal computers
with broadband connections to the Internet that have been compromised by viruses
or Trojan horse programs. These allow the perpetrator to remotely control machines
to direct the attack, and such an array of computers is called a botnet. With
enough such slave or zombie hosts, the services of even the largest and most well-connected
websites can be disrupted.

Continue reading How to check and stop if DDoS attack is going on.

Installing and configuring Linux CDP Agents

R1Soft CDP is a easy to install and use continous data protection
system, primarily targeted at the hosting market. It backups up
multiple servers to a central backup server; multiple backup windows
can be performed per day, and files or even the whole disk can be
restored from the image. This tutorial will show you how to install the Linux Agent on a server which you want to be backed up, and how to
configure it.

Continue reading Installing and configuring Linux CDP Agents

cPanel Name Server Setup

It seems no matter which flavor of linux / unix you are running and which control panel software that setting up custom name servers is always a problem. This How-To will be for installing name servers on a Linux CPanel server. Custom Name Servers are great because you can provide your webhosting customers with ns1.yourcompany.com instead of your server / upllink providers name servers. You will also know how to install Custom name servers for your reseller accounts.
Continue reading cPanel Name Server Setup

APF firewall. Daily automated email showing firewall status

Charles Sweeney writes : This is how to get your server to send you a daily email showing the status of your APF firewall. In other words, letting you know if it’s running or not!
APF firewall. Daily automated email showing firewall status

Continue reading APF firewall. Daily automated email showing firewall status

Syctl.conf Hardening

The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests. Continue reading Syctl.conf Hardening

Security Guide for cPanel servers

You must keep your box secure at all times, getting compromized could lead to dataloss, which means you loose clients which isnt a very good way to run your buisness. You dont have to be an expert, there are just simple instructions you have to follow, check your box daily for any unknown proccesses, cheak on your clients regularly to make sure they are not up to no good. The easiest of steps can make you that one bit more secure which helps.
Continue reading Security Guide for cPanel servers