In Linux, hard and soft links are referenced to files, which are very important, if not protected very well, any vulnerabilities in them can be exploited by malicious system users or attackers.

A common vulnerability is the symlink race. It is a security vulnerability in software, that comes about when a program insecurely creates files (especially temporary files), and a malicious system user can create a symbolic (soft) link to such a file.

Read Also: How to Create Hard and Symbolic Link in Linux

This is practically happens; a program checks if a temp file exists or not, in case it doesn’t, it creates the file. But in that short period of time between checking the file and creating it, an attacker can possibly create a symbolic link to a file and he or she is not permitted to access.


So when the program runs with valid privileges creates the file with the same name as the one created by the attacker, it literally creates the target (linked-to) file the attacker was intending to access. This, hence, could give the attacker a path way to steal sensitive information from the root account or execute a malicious program on the system.

Therefore, in this article, we will show you how to secure hard and symbolic links from malicious users or hackers in CentOS/RHEL 7 distributions.

On CentOS/RHEL 7 exists a vital security feature which only permits links to be created or followed by programs only if some conditions are satisfied as described below.

For Hard Links

For a system user to create a link, one of the following conditions has to be fulfilled.

  • the user can only link to files that he or she owns.
  • the user must first have read and write access to a file, that he or she wants to link to.

For Symbolic Links

Processes are only allowed to follow links that are outside of world-writable (other users are allowed to write to) directories that have sticky bits, or one of the following has to be true.

  • the process following the symbolic link is the owner of the symbolic link.
  • the owner of the directory is also the owner of the symbolic link.

Enable or Disable Protection on Hard and Symbolic Links

Importantly, by default, this feature is enabled using the kernel parameters in the file /usr/lib/sysctl.d/50-default.conf (value of 1 means enable).

fs.protected_hardlinks = 1
fs.protected_symlinks = 1

However, for one reason or the other, if you want to disable this security feature; create a file called /etc/sysctl.d/51-no-protect-links.conf with these kernel options below (value of 0 means disable).

Take note of that 51 in the filename (51-no-protect-links.conf), it has to be read after the default file to override the default settings.

fs.protected_hardlinks = 0
fs.protected_symlinks = 0

Save and close the file. Then use the the command below to effect the above changes (this command actually loads settings from each and every system configuration file).

# sysctl --system
OR
# sysctl -p #on older systems

You might also like to read these following articles.

  1. How to Password Protect a Vim File in Linux
  2. 5 ‘chattr’ Commands to Make Important Files IMMUTABLE (Unchangeable) in Linux

That’s all! You can post your queries or share any thoughts relating to this topic via the feedback form below.

Facebook Comments

More Stuff

Emblematic Group and Mozilla Team Up to Showcase Next Generation o... Everything you share on the internet is a story. You read blog posts and watch videos that make you feel connected to people across the world. Virtual...
Latest Firefox Release is Faster than Ever With the introduction of the new Firefox Quantum browser in 2017 we changed the look, feel, and performance of our core product. Since then we have la...
Google’s own data proves two-factor is the best defense against mo... Every once in a while someone will ask me what is the best security advice. The long answer is “it depends on your threat model,” which is just a fan...
Competing without a Marketing Budget: When All You Have is a Produ... This is a story about the power of a good landing page, PR efforts, and marketing strategy. The refreshing twist here is that instead of explaining ho...
Spread the love

Posted by News Monkey