Joomla 3.0 htaccess: Options +FollowSymLinks
2,255 views
Skip to first unread message
Beat
Feb 11, 2013, 3:26:19 PM2/11/13
to Joomla! CMS Development
Hi,
I'm opening a discussion here after a very quick google-search on that
subject without hits, to get your impressions before opening a tracker
artifact and issuing a pull request:
Regarding the htaccess.txt of Joomla 3.0:
https://github.com/joomla/joomla-cms/blob/master/htaccess.txt#L19
Line:
Options +FollowSymLinks
Is not commented.
1) To my knowledge, Joomla does not use Symlinks, so it's not needed.
2) FollowSymLinks is a vulnerability by itself on shared hostings, as
it does NOT check for owners and thus allows customers to access any
part of the system, including other accounts on the same server. It
thus is / should be disabled by now on most hosting panels. The new
Apache2 directive to use is:
Options +SymLinksIfOwnerMatch
http://httpd.apache.org/docs/2.2/mod/core.html#options
So unless Joomla 3.0 is now using Symlinks (???), I recommend to
change the line:
Options +FollowSymLinks
to:
# Options +SymLinksIfOwnerMatch
Any thoughts ?
Best Regards,
Beat
http://www.joomlapolis.com/
I'm opening a discussion here after a very quick google-search on that
subject without hits, to get your impressions before opening a tracker
artifact and issuing a pull request:
Regarding the htaccess.txt of Joomla 3.0:
https://github.com/joomla/joomla-cms/blob/master/htaccess.txt#L19
Line:
Options +FollowSymLinks
Is not commented.
1) To my knowledge, Joomla does not use Symlinks, so it's not needed.
2) FollowSymLinks is a vulnerability by itself on shared hostings, as
it does NOT check for owners and thus allows customers to access any
part of the system, including other accounts on the same server. It
thus is / should be disabled by now on most hosting panels. The new
Apache2 directive to use is:
Options +SymLinksIfOwnerMatch
http://httpd.apache.org/docs/2.2/mod/core.html#options
So unless Joomla 3.0 is now using Symlinks (???), I recommend to
change the line:
Options +FollowSymLinks
to:
# Options +SymLinksIfOwnerMatch
Any thoughts ?
Best Regards,
Beat
http://www.joomlapolis.com/
Andreas Tasch
Feb 11, 2013, 5:12:33 PM2/11/13
to joomla-...@googlegroups.com
Hi Beat,
interesting topic. You made me curious and I did some research.
Afaik, the +FollowSymLinks option is only there for mod_rewrite to work:
But you are right, it seems that +SymLinksIfOwnerMatch is sufficient. Tested it with
Options -FollowSymLinks +SymLinksIfOwnerMatch
Imo, disabling -FollowSymLinks before enabling +SymLinksIfOwnerMatch makes sense if the global scope has enabled it by "accident"
So commenting the line out by default maybe does not get the desired effect if Apache global FollowSymLinks is enabled.
Also interesting:
However even with FollowSymLinks enabled I was not able to create a symlink to another account on my server.
Assuming /www/customers/ as root for all users. /www/customers/myhome is my users folder. Even with a payload and trying to symlink to another customers resource does not work, e.g.
<?php
$target = '../otheruser/configuration.php';
$link = 'sy-link-test.txt';
if(symlink($target, $link)){
echo "success";
} else {
echo "error";
}
?>
Because of different user permissions on linux file system this does not work. My user is not allowed to link to a resource outside his home directory. No matter how the apache setting looks. The only way I can imagine this would work - if you run PHP as module or if you have chmod 777 your customers home folders. But IF you have either PHP compiled as module or your folders are world read-writable you seriously have a LOT more problems than only the FollowSymLinks option. Because you can just access any other file with ../otheruser/configuration.php No shared hosting should ever run with PHP as a module, but I'm sure there are still some out there.
Beat
Feb 11, 2013, 5:38:52 PM2/11/13
to Joomla! CMS Development
Hi Andreas,
- 777 is not needed, 644 is enough to read the other user's file...
And 644 files are much more common on files inside a 750 folder...
- Imho, no need to run mod_php, it's also possible with fcgi.
Anyway, problem is not if it's possible or not, problem is that
pannels are starting to enforce that additional security measure:
Now popular hosting panels like Cpanel and Virtualmin (GPL and PRO):
https://forums.cpanel.net/f185/fix-access-other-users-files-apache-followsymlinks-vs-symlinksifownermatch-147985.html
http://www.virtualmin.com/node/24574
are enforcing the symlinking.
And thus Joomla 3.0 htaccess.txt installs fail from start. But I can
understand that some older installs will allow the older option only.
Finally, most host which load mod_rewrite probably also allow symlinks
in the way they enforce it outside the htaccess file.
So in addition of the line change (maybe commented by default as which
to use might be a guess ?), an updated comment above should probably
be made in all cases ?
Best Regards,
Beat
- 777 is not needed, 644 is enough to read the other user's file...
And 644 files are much more common on files inside a 750 folder...
- Imho, no need to run mod_php, it's also possible with fcgi.
Anyway, problem is not if it's possible or not, problem is that
pannels are starting to enforce that additional security measure:
Now popular hosting panels like Cpanel and Virtualmin (GPL and PRO):
https://forums.cpanel.net/f185/fix-access-other-users-files-apache-followsymlinks-vs-symlinksifownermatch-147985.html
http://www.virtualmin.com/node/24574
are enforcing the symlinking.
And thus Joomla 3.0 htaccess.txt installs fail from start. But I can
understand that some older installs will allow the older option only.
Finally, most host which load mod_rewrite probably also allow symlinks
in the way they enforce it outside the htaccess file.
So in addition of the line change (maybe commented by default as which
to use might be a guess ?), an updated comment above should probably
be made in all cases ?
Best Regards,
Beat
Andreas Tasch
Feb 11, 2013, 7:41:56 PM2/11/13
to joomla-...@googlegroups.com
Hi Beat,
I see the issue, the files are readable and this is sufficient under some circumstances. On my servers it does not work because I have only "virtual" users for apache vhosts (stored in mysql, libnss, suexec, fcgi) + open_basedir and disable_functions such as exec, shell_exec etc.
BUT this symlink vulnerability is really BIG. Reading through some cpanel discussions [1] the truth is you can't fix this on .htaccess level. Even with apache global config you can't kill it entirely. PHP security options are also meaningless (e.g. user can execute cgi scripts, perl etc). It turns out to be unfixable on higher level but has to be addressed on kernel level (if you use cpanel or other normal linux user accounts based installations - which most systems are).
Seems that SymLinksIfOwnerMatch has race conditions and performance issues, but it seems that it is not _the_ solution anyway.
According to the discussion [1] the only way to prevent this completely is to patch it at kernel level[2] or patch apache[3].
cPanel itself [4]comes to the conclusion that only on kernel level a fix makes sense. Maybe Apache could fix this too, but you can't fix it really inside a vhost, imho.
CloudLinux also seems to have a viable solution:
http://www.cloudlinux.com/blog/clnews/introducing-securelinks-for-apache.php
http://www.cloudlinux.com/blog/clnews/introducing-securelinks-for-apache.php
Wow, this is really scary, but honestly imo the source of the problem could not be fixed within Joomla!s .htaccess but you are right, maybe putting the less harmful option in is a barrier worth putting in.
piotr_cz
Feb 12, 2013, 4:14:36 AM2/12/13
to Joomla! CMS Development
Host I use for most projects forbids using Options +FollowSymLinks for
security reasons and returns code 500.
I always hated that I have comment this line in .htaccess for every
Joomla installation.
Let's comment that out permanently, this may be a show-stopper for
beginners wanting to try out Joomla.
On Feb 11, 11:38 pm, Beat <beat...@gmail.com> wrote:
> Hi Andreas,
>
> - 777 is not needed, 644 is enough to read the other user's file...
> And 644 files are much more common on files inside a 750 folder...
>
> - Imho, no need to run mod_php, it's also possible with fcgi.
>
> Anyway, problem is not if it's possible or not, problem is that
> pannels are starting to enforce that additional security measure:
>
> Now popular hosting panels like Cpanel and Virtualmin (GPL and PRO):
>
> https://forums.cpanel.net/f185/fix-access-other-users-files-apache-fo...
security reasons and returns code 500.
I always hated that I have comment this line in .htaccess for every
Joomla installation.
Let's comment that out permanently, this may be a show-stopper for
beginners wanting to try out Joomla.
On Feb 11, 11:38 pm, Beat <beat...@gmail.com> wrote:
> Hi Andreas,
>
> - 777 is not needed, 644 is enough to read the other user's file...
> And 644 files are much more common on files inside a 750 folder...
>
> - Imho, no need to run mod_php, it's also possible with fcgi.
>
> Anyway, problem is not if it's possible or not, problem is that
> pannels are starting to enforce that additional security measure:
>
> Now popular hosting panels like Cpanel and Virtualmin (GPL and PRO):
>
Reply all
Reply to author
Forward
0 new messages