diff --git a/scripts/lib/scan-symlinks.php b/scripts/lib/scan-symlinks.php index e3b98fd..3d36f68 100644 --- a/scripts/lib/scan-symlinks.php +++ b/scripts/lib/scan-symlinks.php @@ -45,11 +45,45 @@ if (!is_file($tarPath) || !is_readable($tarPath)) { exit(2); } -// Same prefix list as the panel. +// Threat model: an "ALFA TEaM Shell"-style payload links into a path that, +// when a recursive walker follows it (or when something writes through it), +// either ESCAPES the customer's account on the destination server OR +// CLOBBERS critical system state. The classification needs to be tight +// enough to catch those — and loose enough to NOT flag the dozens of +// standard cPanel-internal symlinks every customer tarball contains +// (access-logs -> /usr/local/apache/domlogs/, var/cpanel/styled/... +// -> /usr/local/cpanel/base/frontend/..., mailman, etc.). +// +// Earlier versions of this file used the panel's broader list (everything +// under /etc, /usr, /bin, /sbin, /lib, /lib64, /var/lib, /var/log, +// /var/cache, /var/spool) which made the container REFUSE every cpmove +// from a real cPanel source server — including clean ones. The panel +// could afford to be permissive in UNCERTAIN handling because it never +// actually followed the links (removeDirectory now shell-rm's, not +// recursive PHP walk). The container is supposed to QUARANTINE the truly +// destructive ones and let the rest through. +// +// Real-world dangerous prefixes (escapes/clobbers): +// / exact root — ALFA "alfasymlink/root -> /" +// /etc config tampering, /etc/shadow exfil +// /root root home dir +// /boot bootloader / kernel +// /proc process info / kernel knobs +// /sys sysfs +// /dev device nodes +// +// Notably NOT in the list (cPanel-legitimate, kept as UNCERTAIN): +// /usr/local/apache/... access logs +// /usr/local/cpanel/... UI styling, plugins, mailman +// /var/log/... per-user mail logs +// /bin, /sbin customer "fix shell" symlinks (rare but seen) $dangerousPrefixes = [ - '/etc', '/usr', '/bin', '/sbin', '/lib', '/lib64', - '/boot', '/root', - '/var/lib', '/var/log', '/var/cache', '/var/spool', + '/etc', + '/root', + '/boot', + '/proc', + '/sys', + '/dev', ]; $findings = [];