Unique LiteSpeed Features Fight Symbolic Link Hacking
LSWS boasts two unique features that block symlink hacks: a Follow Symbolic Link setting that cannot be overridden in .htaccess files and strict ownership checking.
The Dangers of Symlink Hacking
The ways that a hacker can get unwarranted access to a server through symbolic links have been thoroughly covered in articles and forum threads on many other sites. Hackers using symlinks escalate privileges is a basic and widespread security issue.
.htaccess Immune Ownership Checking
This is an old trick for Apache users. Setting our Follow Symbolic Link setting to “If Owner Match” causes the server to only follow symlinks if the owner of the link and the target are the same. This is essentially the same as Apache’s SymLinksIfOwnerMatch option, but with one big difference: LSWS’s Follow Symbolic Link setting cannot be overridden in an .htaccess file. This means that, unlike with Apache, you can allow .htaccess overrides without worrying that users will bypass this basic symlink ownership checking.
LiteSpeed recommends that all shared hosting providers set Follow Symbolic Link (WebAdmin console > Server > Security > Follow Symbolic Link) to “If Owner Match.”
Force Strict Ownership Checking
As noted in Apache’s documentation, symlink testing is subject to race conditions that make it circumventable. Specifically, this testing is vulnerable to time-of-check-to-time-of-use (TOCTTOU) attacks. A TOCTTOU attack involves changing the target location after it has been checked (by changing a symlink after the ownership check) but before a file has been opened. In order to prevent this kind of exploit, LiteSpeed has the Force Strict Ownership Checking setting. Force Strict Ownership Checking prevents TOCTTOU attacks by checking the owner of the file as the file is opened (when there is no chance for substitution). This feature is similar to CloudLinux’s SecureLinks functionality.
LiteSpeed also recommends that all shared hosting providers turn on Force Strict Ownership Checking (WebAdmin console > Server > Security > Force Strict Ownership Checking) unless you are using CloudLinux SecureLinks.
These settings are just one facet of LiteSpeed Web Server’s top-of-the-line security features. If you wish to learn more about security with LSWS, see the security features section of our site.
Comments