LF_SYMLINK false positives

[rickphp]

Hi,

I've recently enabled LF_SYMLINK and have found its been blocking genuine traffic.

I use suPHP so of coarse all users should own their own files, but some users have files owned by nobody for whatever reason, these users are triggering the LF_SYMLINK because their userid is accessing the 'nobody' userid.

Could you add an option so that such triggers can be ignored?

I guess it could miss out a symlink attack against a users file which could be owned by 'nobody', but at the same time it could block a lot of genuine traffic. We have patched against the attack, so we'd have rather have slight risk rather than blocking lots of genuine traffic.

Yes I can reset the file ownership for affected accounts, but there will always be

Thanks

[domainworld]

Likewise, particularly mailman lists:

Time: Sun Mar 24 20:52:35 2013 -0500
IP: 111.111.111.111 (US/United States/ip9111-111-111-111.ok.ok.cox. net)
Failures: 1 (symlink)
Interval: 3600 seconds
Blocked: Yes

Log entries:

[Sun Mar 24 20:52:29 2013] [error] [client ***.***.***.***] Caught race condition abuser. attacker: 32088, victim: 0 open file owner: 0, open file: /usr/local/cpanel/img-sys/mailman.jpg, referer: SOMEHOSTNAME .com/mailman/admin/LIST_NAME .com

[rickphp]

Reading up on how the sym patch works, it will cause problems like these as it simply blocks the request if the ownerships don't match.

The better patch is the one from Rack911, which forces symlinks follow with the if owner match flag.

Maybe csf could offer another LFD option for rack911s patch?

I have no idea why cpanel didn't just get permission to use rack911s patch...