We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

Symlink race condition vulerability | Forum

Topic location: Forum home » Support » Installation Troubleshooter and Server setup
dave Leader
dave Aug 31 '14
I been meaning to ask this for some time from the oxwall devs.    As you know there is a vulnerability in Apache via FollowSymLinks.


"If you enable both of the configuration settings SymLinksIfOwnerMatch 

and FollowSymLinks, Apache will be vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that has not been protected by strict OS-level permissions."


So i not only did the suggested fix for this using mod_ruid and jailshell but i also have both SymLinkIfOwnerMatch and FollowSymLinks disabled.


I notice that you use FollowSymLinks in your "out of the box" htaccess file.


 Can you tell me what affect this will have on my sites since i have these both disabled server side?


Thanks

#1
ross Team
ross Sep 1 '14

If your mod_rewrite code works without the Options +FollowSymLinks directive, that means that your server configuration file has enabled them already, and you won't need that directive in your .htaccess files.


https://www.google.com/?gws_rd=ssl#q=followsymlinks%20htaccess
#2
dave Leader
dave Sep 1 '14
Thanks for the reply ross, however im trying to discover something here.  From what you said it sounds as if without the followsymlinks oxwall will break.  


I would like to know what is going to break, and how deeply is the script vested in that directive.  Can we live and function without whatever is broken without the directive. 

#3
ross Team
ross Sep 2 '14

if it is disabled, the server will not follow the symbolic links in the catalog of the website, thus, if there's a symbolic link in the catalog of the website, then while inquiring to a certain URL, the accessing of the content, where a symbolic link is referred to, will not be possible. 

#4
dave Leader
dave Sep 2 '14

TY sir,  i do have an important reason for asking this.  I guess im not making myself very clear and i do apologize for that.   Im not seeking a definition or a definition applied to a script, as i know what the are.  I am seeking for lack of a better word an example or possibly several. The reason is that im trying to determine at what percentage is the script soley dependent on the SL's


I guess i could just see what breaks but that is not really the best way and its dev by hack job and dont prefer to do it that way.


Can you provide a core example or is there a function that manages the SL's in the script itself?

The Forum post is edited by dave Sep 2 '14
#5
Abu Road Escort
Abu Road Escort Jul 20 '22
Agra Escorts | < | > | Allahabad Escorts | < | > | Lucknow Escorts | < | > | Ghaziabad Escorts | < | > | Aligarh Escorts | < | > | Ambedkar Nagar Escorts | < | > | Auraiya Escorts | < | > | Azamgarh Escorts | < | > | Baghpat Escorts | < | > | Bahraich Escorts | < | > | Ballia Escorts | < | > | Balrampur Escorts | < | > | Banda Escorts | < | > | Barabanki Escorts | < | > | Bareilly Escorts | < | > | Basti Escorts | < | > | Bijnor Escorts | < | > | Budaun Escorts | < | > | Bulandshahar Escorts | < | > | Chandauli Escorts | < | > | Chitrakoot Escorts | < | > | Deoria Escorts | < | > | Etah Escorts | < | > | Etawah Escorts | < | > | Faizabad Escorts | < | > | Farrukhabad Escorts | < | > | Fatehpur Escorts | < | > | Firozabad Escorts | < | > | Gautam Buddha Nagar Escorts | < | > | Ghazipur Escorts | < | > | Gonda Escorts | < | > | Gorakhpur Escorts | < | > | Hamirpur Escorts | < | > | Hardoi Escorts | < | > | Jalaun Escorts | < | > | Jaunpur Escorts | < | > | Jhansi Escorts | < | > | Jyotiba Phule Nagar Escorts | < | > | Kannauj Escorts | < | > | Kanshiram Nagar Escorts | < | > | Kaushambi Escorts | < | > | Kheri Escorts | < | > | Kushinagar Escorts | < | > | Lalitpur Escorts | < | > | Mahamaya Nagar Escorts | < | > | Maharajganj Escorts | < | > | Mahoba Escorts | < | > | Mainpuri Escorts | < | > | Mathura Escorts | < | > | Mau Escorts | < | > | Meerut Escorts | < | > | Mirzapur Escorts | < | > | Moradabad Escorts | < | > | Muzaffarnagar Escorts | < | > | Pilibhit Escorts | < | > | Pratapgarh Escorts | < | > | Rae Bareli Escorts | < | > | Ramabai Nagar Escorts | < | > | Rampur Escorts | < | > | Saharanpur Escorts | < | > | Sant Kabir Nagar Escorts | < | > | Sant Ravidas Nagar Escorts | < | > | Shahjahanpur Escorts | < | > | Shrawasti Escorts | < | > | Siddharth Nagar Escorts | < | > | Sitapur Escorts | < | > | Sonbhadra Escorts | < | > | Sultanpur Escorts | < | > | Unnao Escorts | < | > | Varanasi Escorts | < | > |
#6
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software