[kwlug-disc] Apache 403 & access.log questions

Cedric Puddy cedric at ccjclearline.com
Sat Apr 6 11:05:35 EDT 2019 

As an aside/PSA, allowing webservers to follow symlinks is dangerous, and
if you must do it, read up on it first.

The basic attack is that if someone manages to create a symlink, they can
potentially point it anywhere on your server, and read anything the
webserver can read (other users files, your
CMS config file that has your database uid/pw in it, your
system passwd file, etc, etc). For a remote attacker to create a symlink in
the first place is not *necessarily* trivial, depending on various factors
(For example, do you follow a dev/stage/production workfliow where all
changes are made by git and your webroots are 100% readonly, and writes
*only* happen in a separate vhost/webroot that is dedicated only to files
that might potentially have been written by attackers?) and so forth.  And
sure, it's less dangerous if your vhost is chrooted in the webroot (but
that thing about them symlinking to your CMS config file would still be a
thing).

For our cPanel servers, we entirely disabled symlinks.  Rewrite rules, hard
links, using php to get your content from it's real home.... there are ways
to get things done w/o symlinks.

Anyway, all that to say "News Flash!  Jerks Are Everywhere, Hate it when
People Have Nice Things!"

-Cedric

On Thu, 4 Apr 2019 at 23:21, Steve Izma <sizma at golden.net> wrote:

> On Thu, Apr 04, 2019 at 09:34:53PM -0400, Charles M wrote:
> > Subject: [kwlug-disc] Apache 403 & access.log questions
> >
> > When I surf to sitename/help/ access.log shows a 200 for the
> > index.html in that directory. However the index.html is just a
> > redirect to a subfolder below help called me/. That redirected folder
> > seems to be generating a 403 error. me/ has the same user and group
> > permission as well as the same access permissions - so I'm thinking
> > this has something to do with my main site apache configuration file?
>
> I'm not sure what you mean by a redirect -- do you mean that that
> sitename/help/index.html contains either an HTML <meta
> content=...> tag (or some sort of javascript) or do you mean that
> index.html is a symbolic link to something in the subdirectory?
> If it's a link, then the apache config or .htaccess needs
> "FollowSymLinks" as an option. I would think a symlink is more
> straight forward than an extra file with code in it.
>
>         -- Steve
>
> --
> Steve Izma
> -
> Home: 35 Locust St., Kitchener, Ontario, Canada  N2H 1W6
> E-mail: sizma at golden.net  phone: 519-745-1313  cell: 519-998-2684
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> <http://en.wikipedia.org/wiki/Posting_style>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>


-- 
| CCj/ClearLine - Hosting and TCP/IP Network Services since 1997
| 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478x102
\________________________________________________________
  Cedric Puddy, IS Director cedric at ccj.host
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20190406/1261c5cc/attachment.htm>

More information about the kwlug-disc mailing list