Announcement

Collapse
No announcement yet.

fs.process_symlinks_by_task with CL9

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    fs.process_symlinks_by_task with CL9

    Is fs.process_symlinks_by_task a setting that can be used with CL9?
    https://docs.cloudlinux.com/cloudlin...cpanel-servers states "This option only available on CloudLinux 7 Hybrid or on CloudLinux 8...." I'm wondering if CL9 was not added to the documentation yet, or if CL9 doesn't support this option.

    I have been using
    fs.protected_symlinks_create = 1
    fs.protected_hardlinks_create = 1​
    on a cpanel without issue, except I have to set both to 0 before doing an account restore from backup. Incremental backup seems to work fine, but I have to disable those two options before restoring a backup.

    Does fs.process_symlinks_by_task = 1 replace and make fs.protected_symlinks_create and fs.protected_hardlinks_create totally unnedeed on a CL9 cpanel server?
    Or do fs.protected_symlinks_create and fs.protected_hardlinks_create still provide some protections that fs.process_symlinks_by_task​ does not protect against?
    Tags: None
  • Answer selected by bogdan.sh at 02-11-2025, 10:40 AM.
    Hello,

    We have clarified this question with developers and can confirm this option is available on CloudLinux 9 OS. Going to update the documentation quite soon.

    Those are two different options, both to be enabled for better security.
    • Selected Answer

    Comment

    • #2
      Hello,

      We have clarified this question with developers and can confirm this option is available on CloudLinux 9 OS. Going to update the documentation quite soon.

      Those are two different options, both to be enabled for better security.
      • Selected Answer

      Comment

      • #3
        Thank you! I was also a bit confused by the following statement on the documentation page "We do not recommend to use protected_symlinks option for cPanel users as it might break some of the cPanel functionality. Please read the known issues section before enabling this feature." That made me think fs.process_symlinks_by_task = 1​ may be a recommended tool instead of fs.protected_symlinks_create = 1 for cpanel users. Would like to read a bit more on each of these options for a CL9 cpanel server.

        Comment

        • #4
          Usually it breaks backups by third-party tools, which are working from under user. They serve different purposes:

          fs.process_symlinks_by_task

          This parameter is specifically designed to protect against symlink vulnerabilities when accessing symlinks through cPanel tools (like File Manager, WebDAV, and Webmail).
          When set to 1, it checks whether the current process UID matches the symlink target UID. This means that a user can only access symlinks that point to files they own, enhancing security within the CageFS environment.

          fs.protected_symlinks_create

          This parameter controls whether users are allowed to create symlinks to files that they do not own.
          When set to 1, it prevents users from creating symlinks (and hard links) to files that are not their own or do not exist. This is a broader protection mechanism that helps prevent symlink attacks in shared hosting environments.

          Comment

          Previous template Next
          Working...
          X