Hi Beat,
interesting topic. You made me curious and I did some research.
Afaik, the +FollowSymLinks option is only there for mod_rewrite to work:
But you are right, it seems that +SymLinksIfOwnerMatch is sufficient. Tested it with
Options -FollowSymLinks +SymLinksIfOwnerMatch
Imo, disabling -FollowSymLinks before enabling +SymLinksIfOwnerMatch makes sense if the global scope has enabled it by "accident"
So commenting the line out by default maybe does not get the desired effect if Apache global FollowSymLinks is enabled.
Also interesting:
However even with FollowSymLinks enabled I was not able to create a symlink to another account on my server.
Assuming /www/customers/ as root for all users. /www/customers/myhome is my users folder. Even with a payload and trying to symlink to another customers resource does not work, e.g.
<?php
$target = '../otheruser/configuration.php';
$link = 'sy-link-test.txt';
if(symlink($target, $link)){
echo "success";
} else {
echo "error";
}
?>
Because of different user permissions on linux file system this does not work. My user is not allowed to link to a resource outside his home directory. No matter how the apache setting looks.
The only way I can imagine this would work - if you run PHP as module or if you have chmod 777 your customers home folders. But IF you have either PHP compiled as module or your folders are world read-writable you seriously have a LOT more problems than only the FollowSymLinks option. Because you can just access any other file with ../otheruser/configuration.php No shared hosting should ever run with PHP as a module, but I'm sure there are still some out there.