We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Symlink race condition vulerability | Forum

dave Leader
dave Aug 31 '14
I been meaning to ask this for some time from the oxwall devs.    As you know there is a vulnerability in Apache via FollowSymLinks.

"If you enable both of the configuration settings SymLinksIfOwnerMatch 

and FollowSymLinks, Apache will be vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that has not been protected by strict OS-level permissions."

So i not only did the suggested fix for this using mod_ruid and jailshell but i also have both SymLinkIfOwnerMatch and FollowSymLinks disabled.

I notice that you use FollowSymLinks in your "out of the box" htaccess file.

 Can you tell me what affect this will have on my sites since i have these both disabled server side?


ross Team
ross Sep 1 '14

If your mod_rewrite code works without the Options +FollowSymLinks directive, that means that your server configuration file has enabled them already, and you won't need that directive in your .htaccess files.

dave Leader
dave Sep 1 '14
Thanks for the reply ross, however im trying to discover something here.  From what you said it sounds as if without the followsymlinks oxwall will break.  

I would like to know what is going to break, and how deeply is the script vested in that directive.  Can we live and function without whatever is broken without the directive. 

ross Team
ross Sep 2 '14

if it is disabled, the server will not follow the symbolic links in the catalog of the website, thus, if there's a symbolic link in the catalog of the website, then while inquiring to a certain URL, the accessing of the content, where a symbolic link is referred to, will not be possible. 

dave Leader
dave Sep 2 '14

TY sir,  i do have an important reason for asking this.  I guess im not making myself very clear and i do apologize for that.   Im not seeking a definition or a definition applied to a script, as i know what the are.  I am seeking for lack of a better word an example or possibly several. The reason is that im trying to determine at what percentage is the script soley dependent on the SL's

I guess i could just see what breaks but that is not really the best way and its dev by hack job and dont prefer to do it that way.

Can you provide a core example or is there a function that manages the SL's in the script itself?

The Forum post is edited by dave Sep 2 '14