[kwlug-disc] Apache 403 & access.log questions

Steve Izma sizma at golden.net
Mon Apr 8 17:04:40 EDT 2019 

On Sat, Apr 06, 2019 at 11:05:35AM -0400, Cedric Puddy wrote:
> Subject: Re: [kwlug-disc] Apache 403 & access.log questions
> 
> As an aside/PSA, allowing webservers to follow symlinks is dangerous, and
> if you must do it, read up on it first.
> 
> The basic attack is that if someone manages to create a symlink, they can
> potentially point it anywhere on your server, and read anything the
> webserver can read (other users files, your
> CMS config file that has your database uid/pw in it, your
> system passwd file, etc, etc). For a remote attacker to create a symlink in
> the first place is not *necessarily* trivial, depending on various factors
> (For example, do you follow a dev/stage/production workfliow where all
> changes are made by git and your webroots are 100% readonly, and writes
> *only* happen in a separate vhost/webroot that is dedicated only to files
> that might potentially have been written by attackers?) and so forth.  And
> sure, it's less dangerous if your vhost is chrooted in the webroot (but
> that thing about them symlinking to your CMS config file would still be a
> thing).

Thanks, Cedric, for the info. However, in trying to read up on it
I'm finding not-unexpected inconsistencies. The Drupal folks seem
to have had long conversations about this (which I didn't follow
in great detail, not having enough time) and appear to recommend
SymLinksIfOwnerMatch, which at least one other commentator claims
doesn't help.

I will try to find time to test this out in order get a better
grasp of it, but my main concern is MediaWiki, where I need to
set up multiple instances on a host. As far as I can tell, this
has always been done with large quantities of symlinks and I
don't see any discussion among MediaWiki implementors as to this
causing a security problem.

Any ideas about this?

	-- Steve

-- 
Steve Izma
-
Home: 35 Locust St., Kitchener, Ontario, Canada  N2H 1W6
E-mail: sizma at golden.net  phone: 519-745-1313  cell: 519-998-2684

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
<http://en.wikipedia.org/wiki/Posting_style>

More information about the kwlug-disc mailing list