Dear fellow Apache HTTP Server users,AFAIK, Apache features two opts that dictate if Apache should follow symlinks:
- OPT_SYM_LINKS (FollowSymLinks) - OPT_SYM_OWNER (SymLinksIfOwnerMatch)(Especially) in shared hosting environments, FollowSymLinks can be unsafe. However, FollowSymLinks is often set in .htaccess files of frequently used software. For example, see the default .htaccess that ships with Joomla CMS:
https://github.com/joomla/joomla-cms/blob/4.0-dev/htaccess.txt#L20In most cases, FollowSymLinks could be interchanged by SymLinksIfOwnerMatch. In environments where the server administrator doesn't control the software that's running on it, replacing OPT_SYM_LINKS by OPT_SYM_OWNER under the hood can be very useful, as users wouldn't have to edit files they probably don't even know exist (as is often the case with frequently used CMSes).
I found some patches to replace OPT_SYM_LINKS by OPT_SYM_OWNER under the hood:
- https://github.com/ByteInternet/apache1.3/blob/master/debian/patches/104_byte_followsymlinks_is_unsafe - https://files.directadmin.com/services/customapache/harden-symlinks-2.4.patch
I'm fine with building and packaging my own Apache with such a patch, but I'm wondering why one isn't included in Apache. I acknowledge that using the safe option (SymLinksIfOwnerMatch) is up to the software, and not Apache's problem, but I've seen options being included or their behaviour changed based on decisions made by maintainers of frequently used software before, even though they weren't necessarily Apache-related. And seeing quite a lot of people maintaining an Apache patch to achieve this, it seems appropriate.
I do remember seeing an issue about this on the Apache bug tracker, but I can't find it anymore.
-- With kind regards, William Edwards --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|