How To Protect Hard and Symbolic Links in CentOS/RHEL 7

In Linux, hard and soft links are referenced to files, which are very important, if not protected very well, any vulnerabilities in them can be exploited by malicious system users or attackers.

A common vulnerability is the symlink race. It is a security vulnerability in software, that comes about when a program insecurely creates files (especially temporary files), and a malicious system user can create a symbolic (soft) link to such a file.

Read Also: How to Create Hard and Symbolic Link in Linux

This is practically happens; a program checks if a temp file exists or not, in case it doesn’t, it creates the file. But in that short period of time between checking the file and creating it, an attacker can possibly create a symbolic link to a file and he or she is not permitted to access.

So when the program runs with valid privileges creates the file with the same name as the one created by the attacker, it literally creates the target (linked-to) file the attacker was intending to access. This, hence, could give the attacker a path way to steal sensitive information from the root account or execute a malicious program on the system.

Therefore, in this article, we will show you how to secure hard and symbolic links from malicious users or hackers in CentOS/RHEL 7 distributions.

On CentOS/RHEL 7 exists a vital security feature which only permits links to be created or followed by programs only if some conditions are satisfied as described below.

For Hard Links

For a system user to create a link, one of the following conditions has to be fulfilled.

  • the user can only link to files that he or she owns.
  • the user must first have read and write access to a file, that he or she wants to link to.

For Symbolic Links

Processes are only allowed to follow links that are outside of world-writable (other users are allowed to write to) directories that have sticky bits, or one of the following has to be true.

  • the process following the symbolic link is the owner of the symbolic link.
  • the owner of the directory is also the owner of the symbolic link.

Enable or Disable Protection on Hard and Symbolic Links

Importantly, by default, this feature is enabled using the kernel parameters in the file /usr/lib/sysctl.d/50-default.conf (value of 1 means enable).

fs.protected_hardlinks = 1
fs.protected_symlinks = 1

However, for one reason or the other, if you want to disable this security feature; create a file called /etc/sysctl.d/51-no-protect-links.conf with these kernel options below (value of 0 means disable).

Take note of that 51 in the filename (51-no-protect-links.conf), it has to be read after the default file to override the default settings.

fs.protected_hardlinks = 0
fs.protected_symlinks = 0

Save and close the file. Then use the the command below to effect the above changes (this command actually loads settings from each and every system configuration file).

# sysctl --system
OR
# sysctl -p  #on older systems

You might also like to read these following articles.

  1. How to Password Protect a Vim File in Linux
  2. 5 ‘chattr’ Commands to Make Important Files IMMUTABLE (Unchangeable) in Linux

That’s all! You can post your queries or share any thoughts relating to this topic via the feedback form below.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.