Support

Admin Tools

#15249 FollowSymLinks

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 01 March 2013 12:22 CST

Thursday, 28 February 2013 14:39 CST

akeebafan

Hi, it would be great if your htaccess maker could also support SymLinksIfOwnerMatch.

Background:

The ability to FollowSymlinks is considered very unsafe in shared hosting and usually disabled (although some hosts patch Apache to "map" FollowSymlinks to SymLinksIfOwnerMatch internally).

Β 

But not a very high priority :-)

Thursday, 28 February 2013 15:03 CST

nicholas
I might add it in a future release. Is there a particular use case? Symlinks on a web server seem like an awful idea anyway, even with owner matching. I can think of a scenario where an attacker can access privately stored off-site files with symlinks. Besides, this option doesn't change PHP's ability to access sumlinked files (open_basedir in php.ini does)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 28 February 2013 15:21 CST

akeebafan

I agree Symlinks is not a good idea, but since the htaccess maker offers that option it would make sense to also offer the "safer" option (which doesn't have any security issues, and is usually enabled on hosts).

Regarding PHP. Php is typically run as "the user", which doesn't have any "global" permissions. However the Apache user needs to access static files such as images, but since it is typically not run as "the user", Apache needs to be added to "the user" group in order to access files in users home folder (and then "follow symlinks if user doesn't match" is really fun).

Again not a big deal, since nobody has rmentioned it yet.

Thursday, 28 February 2013 16:14 CST

nicholas

That's what I'm saying. Images and other static files / folders with static files should not be symlinked. It's a security hole. Imagine this:

/home/username/private
/home/username/public_html

What happens if an attacker symlinks /home/username/public_html/private to /home/username/private? Disaster.

With PHP I can at least do open_basedirs=/home/username/public_html (mind no trailing slash) and I'm set.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 01 March 2013 12:04 CST

akeebafan

Yes, exactly. And followsysmlinks is usually on hosting (but SymLinksIfOwnerMatch not), and I was thinking whether it would make sense to offer that option as well? not a high priority, of course

Friday, 01 March 2013 12:22 CST

nicholas

I would rather not.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!