Thursday, October 30, 2014

Apache - FollowSymLinks vs SymLinksIfOwnerMatch

“FollowSymLinks” is a directive in Apache web server configuration that tells your web server to follow symbolic links. Websites are often set up in a way that they show pictures, documents or other contents as being physically located at some other location than they really are. For example, you may think “IMG SRC="/system/files/images/image1.jpg” means the image1.jpg is located in “/system/files/images/“, but on the server it is not necessarily “image1.jpg” is located in “/system/files/images/“, could be in “/var/www/files/images”. In this case, a symbolic link is created to tell the server that “If a request asking for /system/files/images/image1.jpg”, then get it from /var/www/files/images/image1.jpg”.

FollowSymLinks relates to server security. “FollowSymLinks” setting tells your server whether it should or should not follow symlinks. In the above example, if “FollowSymLinks” was disabled, a 403 (access forbidden) or a 404 (not found) error will return.

In Apache there are two places that you can find this directive. One is the “httpd.conf” file, the other place is “.htaccess” file. “httpd.conf” files is the default value, the directive defined in “httpd.conf” is loaded upon Apache server startup. Following is an example:

<Directory />
    Options FollowSyLinks
    AllowOverride None
    Order deny, allow
    Deny from all
    Satisfy all
</Directory>

The “.htaccess” file is used to override the default server settings in particular folders. For example, the following few lines override FollowSymLinks settings in the folder which contains the “.htaccess” file.

Options +FollowSymLinks

Security:

However, there are security issues when use “FollowSymLinks”. Think about that the web server has more than one users and home directory for user is enabled. Let say “user1”, “user1” has a “public_html” under “/home/user1”. Imagine that webmaster has a CGI script called “play” that located in /var/www/cgi-bin and
belongs to “www-data”. Webmaster has restricted the read and execute permissions for “/var/www/cgi-bin/play” to its owner and no one else. Web clients can access the file because they appear as “www-data”. But “user1” can’t read the script. But “user1” can make a symbolic link to “play” from his own webspace. Then “user1” can logs on to the Web and access “play” from his own webspace. That’s where “SymLinksIfOwnerMatch” comes in.

“SymLinksIfOwnerMatch” means the server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.

You can set:
<Directory />
    Options SymLinksIfOwnerMatch
</Directory>

or

Options SymLinksIfOwnerMatch

in your “.htaccess” file to check if the target file or directory is owned by the same user id.

Note that with “SymLinksIfOwnerMatch” Apache will have to issue extra system calls to check up on symlinks. One extra call per filename component. For example, if you make a request for the URI /index.html. Then Apache will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html. The results of these lstats are never cached, so they will occur on every single request.

No comments: