Dear fellow Apache HTTP Server users,
AFAIK, Apache features two opts that dictate if Apache should follow
symlinks:
- OPT_SYM_LINKS (FollowSymLinks)
- OPT_SYM_OWNER (SymLinksIfOwnerMatch)
(Especially) in shared hosting environments, FollowSymLinks can be
unsafe. However, FollowSymLinks is often set in .htaccess files of
frequently used software. For example, see the default .htaccess that
ships with Joomla CMS:
https://github.com/joomla/joomla-cms/blob/4.0-dev/htaccess.txt#L20
In most cases, FollowSymLinks could be interchanged by
SymLinksIfOwnerMatch. In environments where the server administrator
doesn't control the software that's running on it, replacing
OPT_SYM_LINKS by OPT_SYM_OWNER under the hood can be very useful, as
users wouldn't have to edit files they probably don't even know exist
(as is often the case with frequently used CMSes).
I found some patches to replace OPT_SYM_LINKS by OPT_SYM_OWNER under the
hood:
-
https://github.com/ByteInternet/apache1.3/blob/master/debian/patches/104_byte_followsymlinks_is_unsafe
-
https://files.directadmin.com/services/customapache/harden-symlinks-2.4.patch
I'm fine with building and packaging my own Apache with such a patch,
but I'm wondering why one isn't included in Apache. I acknowledge that
using the safe option (SymLinksIfOwnerMatch) is up to the software, and
not Apache's problem, but I've seen options being included or their
behaviour changed based on decisions made by maintainers of frequently
used software before, even though they weren't necessarily
Apache-related. And seeing quite a lot of people maintaining an Apache
patch to achieve this, it seems appropriate.
I do remember seeing an issue about this on the Apache bug tracker, but
I can't find it anymore.
--
With kind regards,
William Edwards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org