https://bz.apache.org/bugzilla/show_bug.cgi?id=69543
Bug ID: 69543
Summary: SymLinksIfOwnerMatch do not work
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Runtime Config
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
+SymLinksIfOwnerMatch -FollowSymLinks options was intended to increase
security.
to make sure we follow ONLY symlinks to targets that has the same owner of the
links.
the idea is nice, to have www-data owned symlinks that follow to folders we
make sure owned also by www-data
to prevent a case of hacking the site, as www-data, creating a symlink to ROOT
owned folders for example...
this is not working.
the test is easy, under the root directory of the website, lets say
/var/www/html/my-site , create a symlink owned by www-data, that target a
folder on external drive, folder that is owned by root.
apache is following it with no issues.
this is a potential security bug.
as +SymLinksIfOwnerMatch -FollowSymLinks behave just like full enabled
+FollowSymLinks
(in another note, could be great to disable symlinks altogether and use Aliases
for few folders, that could be more secure, BUT then Rewrite rules are not
working... and this is needed for many frameworks)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
