FollowSymLinks relates to server security. “FollowSymLinks” setting tells your server whether it should or should not follow symlinks. In the above example, if “FollowSymLinks” was disabled, a 403 (access forbidden) or a 404 (not found) error will return.
In Apache there are two places that you can find this directive. One is the “httpd.conf” file, the other place is “.htaccess” file. “httpd.conf” files is the default value, the directive defined in “httpd.conf” is loaded upon Apache server startup. Following is an example:
<Directory /> Options FollowSyLinks AllowOverride None Order deny, allow Deny from all Satisfy all </Directory>
The “.htaccess” file is used to override the default server settings in particular folders. For example, the following few lines override FollowSymLinks settings in the folder which contains the “.htaccess” file.
Options +FollowSymLinks
Security:
However, there are security issues when use “FollowSymLinks”. Think about that the web server has more than one users and home directory for user is enabled. Let say “user1”, “user1” has a “public_html” under “/home/user1”. Imagine that webmaster has a CGI script called “play” that located in /var/www/cgi-bin and
belongs to “www-data”. Webmaster has restricted the read and execute permissions for “/var/www/cgi-bin/play” to its owner and no one else. Web clients can access the file because they appear as “www-data”. But “user1” can’t read the script. But “user1” can make a symbolic link to “play” from his own webspace. Then “user1” can logs on to the Web and access “play” from his own webspace. That’s where “SymLinksIfOwnerMatch” comes in.
“SymLinksIfOwnerMatch” means the server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
You can set:
<Directory /> Options SymLinksIfOwnerMatch </Directory>
or
Options SymLinksIfOwnerMatch
in your “.htaccess” file to check if the target file or directory is owned by the same user id.
Note that with “SymLinksIfOwnerMatch” Apache will have to issue extra system calls to check up on symlinks. One extra call per filename component. For example, if you make a request for the URI /index.html. Then Apache will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html. The results of these lstats are never cached, so they will occur on every single request.
No comments:
Post a Comment