2012/10/31 Eric Jacobs <ejac...@bluehost.com>: > On 10/31/2012 06:00 AM, Eric Covener wrote: >> >> In general that is the proper form -- but this particular issue is >> documented as a limitation: >> >> "Omitting this option should not be considered a security restriction, >> since symlink testing is subject to race conditions that make it >> circumventable." > > > Some users (like Bluehost) require the functionality of symlinks without the > possibility of server side vulnerabilities. Having the vulnerability > documented doesn't keep servers safe. The patch I submitted allows httpd to > use symlinks in a protected fashion that doesn't allow for users to serve > arbitrary files. > > I'll go ahead and submit a more detailed email to the security. More > feedback from the devs is appreciated.
on some systems, at least on Linux You can use a grsecurity kernel patch feature which prevents those races and is cheeper performance wise +config GRKERNSEC_SYMLINKOWN + bool "Kernel-enforced SymlinksIfOwnerMatch" + default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER + help + Apache's SymlinksIfOwnerMatch option has an inherent race condition + that prevents it from being used as a security feature. As Apache + verifies the symlink by performing a stat() against the target of + the symlink before it is followed, an attacker can setup a symlink + to point to a same-owned file, then replace the symlink with one + that targets another user's file just after Apache "validates" the + symlink -- a classic TOCTOU race. If you say Y here, a complete, + race-free replacement for Apache's "SymlinksIfOwnerMatch" option + will be in place for the group you specify. If the sysctl option + is enabled, a sysctl option with name "enforce_symlinksifowner" is + created. there probably is something similar on *BSD's, or if there isn't it won't be hard to make Your patch checks for a race conditions every time, even if Symlinks weren't allowed. It also references some configuration dependent directory like /usr/local/apache/htdocs. -- Michal Grzedzicki