Prevent Symlink Attack

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Prevent Symlink Attack

Postby mohs3n » Thu Dec 13, 2012 4:32 pm

Hi,

I have a webserver with Apache and since the apache doesn't actually handle the "Follow Symlink By Owner" i have a lot of symlink attack in my server and i cannot disable the "Follow Symlink" too because of the websites using it for SEO .
So i've heard that i could patch the kernel to prevent this kind of attack and i found out there is a feature in GrSecurity "Linking restrictions" that would prevent race exploits on /tmp and users will also not be able to hardlink to files they do not own, so i've created a test server in vmware and patched a kernel "2.6.32.60" with grsec but users could still create links of other user's files and read the content .
My question is that is it possible to prevent this kind of attack with grsec patch and if yes then how should i do it ? (what's the right way to do it?)

Regards...
mohs3n
 
Posts: 20
Joined: Fri Dec 07, 2012 3:21 pm

Re: Prevent Symlink Attack

Postby spender » Fri Dec 14, 2012 8:16 am

The feature you're looking for is:

Code: Select all
+config GRKERNSEC_SYMLINKOWN
+   bool "Kernel-enforced SymlinksIfOwnerMatch"
+   default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
+   help
+     Apache's SymlinksIfOwnerMatch option has an inherent race condition
+     that prevents it from being used as a security feature.  As Apache
+     verifies the symlink by performing a stat() against the target of
+     the symlink before it is followed, an attacker can setup a symlink
+     to point to a same-owned file, then replace the symlink with one
+     that targets another user's file just after Apache "validates" the
+     symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+     race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+     will be in place for the group you specify. If the sysctl option
+     is enabled, a sysctl option with name "enforce_symlinksifowner" is
+     created.


Configure this option's group to be that of Apache, and you're set. Note that it doesn't prevent the *creation* of the malicious symlinks, as the symlinks could already exist prior to the installation of a grsecurity kernel. It prevents the *following* of the symlinks by Apache, as it should be the only app capable of viewing the other user's web files. That Apache can follow the malicious symlinks is the vulnerability and what the feature prevents.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Prevent Symlink Attack

Postby mohs3n » Fri Dec 14, 2012 12:41 pm

Thanks for the explanation but there is a thing :

If you say Y here, a complete,
+ race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+ will be in place for the group you specify


In linux every time a user has been created a group with that user name will be created too so each user would has it's own group name and GID so how could i specify a GID in this feature to include all users in the server ?
mohs3n
 
Posts: 20
Joined: Fri Dec 07, 2012 3:21 pm

Re: Prevent Symlink Attack

Postby spender » Fri Dec 14, 2012 1:17 pm

If your server is configured correctly, users should not normally be able to view other users' public_html files. Only the webserver will have the required DAC permission to view all users' public_html files. You will be specifying the group the webserver runs as. If the DAC permissions aren't set up as I described, then you have much bigger problems that should be resolved first ;)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Prevent Symlink Attack

Postby mohs3n » Sat Dec 15, 2012 12:53 am

I could manage to keep users in their directories and dont let them see the other's files by symlinks with some changes in apache and php .
But the quetion is what "GRKERNSEC_SYMLINKOWN" does ? , i mean i've already fixed my problem by making changes in "Webserver Engine" layer and i dont really understand what does "GRKERNSEC_SYMLINKOWN" do for my sever in kernel level and how should i configure it ?
mohs3n
 
Posts: 20
Joined: Fri Dec 07, 2012 3:21 pm


Return to grsecurity support

cron