.htaccess: Option FollowSymLinks not allowed here

29 posts / 0 new
Last post
#1 Mon, 12/31/2012 - 13:21
jonloh

.htaccess: Option FollowSymLinks not allowed here

I have defined the apache template with the following for the directory specific:

<Directory ${HOME}/public_html>
  Options -Indexes +IncludesNOEXEC +FollowSymLinks
  allow from all
  AllowOverride All
</Directory>

But everytime when I create a new virtual server, the AllowOverride All gets appended with the following result:

<Directory /home/test/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
  allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/test/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/test/fcgi-bin/php5.fcgi .php5
</Directory>

How can I remove Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch from being automatically added? This causes error 500 with the following error:

.htaccess: Option FollowSymLinks not allowed here

Mon, 12/31/2012 - 13:32
Locutus

Actually you should not prevent those Options from being added, since they are part of a security fix that could cause all your websites to be compromised if one of them gets hacked.

Mon, 12/31/2012 - 21:41
jonloh

Then is there anyway to alter the options that are being added? Because it doesn't work well with the Options used in .htaccess which Drupal needs it.

Also, I just realized that the whole directive in the directory is being altered. I'm having trouble to find the file that's causing the alteration :(

Tue, 01/01/2013 - 10:54
jonloh

I've just found out that there are other forum posts similar to this, after I used the correct keyword to search.

I guess this seems to be a huge fix to the security hole for FollowSymlinks. In fact, there is a discussion going on in Drupal to change FollowSymLinks to SymLinksifOwnerMatch: http://drupal.org/node/1269780

For those who are hosting your current clients, you can easily update the .htaccess for them to use SymLinksIfOwnerMatch by executing the following bash command:

find /home -name ".htaccess" -type f -exec sed -i 's/FollowSymLinks/SymLinksIfOwnerMatch/g' {} ";"

Do backup your files first before you perform this, just in case something goes wrong :)

Will be updating the post title for better understanding on the issue.

Fri, 01/18/2013 - 15:59
Smalls

I too am having this issue, no matter what I put in the apache directives, virtualmin appends the same line as the OP posts.

It will also append this line if a backup is restored... incredibly irritating...

Fri, 01/18/2013 - 16:00
Smalls

oh and by the way, some websites do not work with SymLinksIfOwnerMatch - namely, magento. It REQUIRES FollowSymLinks to function properly...

this current behaviour is creating a nightmare for me

Fri, 01/18/2013 - 17:03
tpnsolutions
tpnsolutions's picture

Hi,

As already mentioned, the change was part of a patch release of Virtualmin recently. It is not recommended to use FollowSymLinks. While I understand that some scripts dont' work with the recommended, secure method, it may be better to contact the developer of the scripts and ask them to adjust their scripts to help them to enforce better security measures, rather than working on a way to make your system less secure. Though, I do understand that it is a bummer if you are using scripts which don't work quite right with the currently enforced settings.

*** Generally speaking, SymLinksIfOwnerMatch won't be a problem if you have a dedicated copy of a script and related files within the domain's directory and therefore not Symbolically linked. ***

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Fri, 01/18/2013 - 17:03
andreychek

Magento works with SymLinksIfOwnerMatch, you just need to update the Magento .htaccess files to use that rather than FollowSymLinks.

Any Virtualmin site that uses FollowSymLinks can be exploited to allow that user to read all files in /home. That was creating a nightmare of a different sort :-)

To solve the issue you're seeing, I'd recommend just updating Magento's .htaccess files.

However, if you don't wish to do that, and you are okay with the security issues that exist, you can always prevent Virtualmin from applying that fix in the future by editing the file /etc/webmin/virtual-server/config and adding the line allow_symlinks=1 to the end of the file.

-Eric

Sun, 04/14/2013 - 09:18
sz00gun

Hello

I have a Magento website and I use the best panel: Virtualmin! I do not want to change it, but as you know Virtualmin doesn't work (500 ERROR) with FollowSymLinks which is in the .htaccess ;(

I know, I can change it to: SymLinksIfOwnerMatch, but there as some security issues ;( Do security issues affect a website or Virtualmin?

I have a dedicated server with 1 admin only, so the others can not log in into Virtualmin panel.

The most important think is having a secured Magento.

What should I do: Should I change option into: SymLinksIfOwnerMatch or change Virtualmin.....

Please advice

Sun, 04/14/2013 - 21:46
andreychek

Virtualmin doesn't work (500 ERROR) with FollowSymLinks which is in the .htaccess

Well, Virtualmin configures Apache not to allow that, as allowing it enables users on your system to be able to read any files in /home.

I know, I can change it to: SymLinksIfOwnerMatch, but there as some security issues ;( Do security issues affect a website or Virtualmin?

I would highly recommend changing the htaccess file to "SymLinksIfOwnerMatch", I'm not aware of any security issues with that. It's actually the other way around, not using that is a huge security issue.

You can disable this security fix if you want, though that's not something I'd recommend.

It may not matter as much though if all the users on your system are trusted.

-Eric

Thu, 05/16/2013 - 15:32
marco1492
marco1492's picture

Had the same issue with Virtualmin. In my case it worked by changing to SymLinksIfOwnerMatch...

Sun, 07/21/2013 - 14:32
aerozeppelin

find /home -name ".htaccess" -type f -exec sed -i 's/FollowSymLinks/SymLinksIfOwnerMatch/g' {} ";"

Solved it for me

Thu, 10/04/2018 - 18:44 (Reply to #12)
tonytonez

Hi,

A long time but how can I undo this command? My site now just downloads a file every time I access it?

Please let me know as it would really help me.

Thanks

Sun, 06/07/2015 - 17:19
Francewhoa
Francewhoa's picture

aerozeppelin solution worked. Thanks :)

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Fri, 07/18/2014 - 10:23
philmck
philmck's picture

If anyone's still struggling with this, I think I've found a better solution, at least for my situation.

I'm using Virtualmin to manage a VPS that contains several sites, all owned by me or my friends. I use a variety of common content management systems, including Drupal and Magento, both of which try to enable FollowSymLinks in their .htaccess files. Whenever these CMS systems are updated (e.g. using Drush or Magento Connect Manager), my sites stop working with an unhelpful 500 error until I remember that I have to hack the .htaccess files each time.

In my humble opinion, both Drupal and Magento should be fixed to use SymLinksIfOwnerMatch instead. Appropriate bugs/enhancement requests exist for both platforms but don't hold your breath waiting for a resolution.

Meanwhile I investigated the "security vulnerability" that would be caused by enabling FollowSymLinks for these domains on my VPS and it doesn't seem to be too serious. Basically it means one hacked user might be able to access another's files, which would be very bad on shared hosting but not so bad on a VPS owned by one person. So I want to override the Virtualmin behaviour for the affected domains.

The way I found to do this is to go to Services > Configure Website > Edit Directives for the Virtualmin domain in question, find the line that says "AllowOverride All Options=..." under Directory /home/[domain]/public_html and add FollowSymLinks to the end of the list of options so it becomes AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks

It's still a good idea to change a newly-updated .htaccess file for Drupal or Magento to enable SymLinksIfOwnerMatch instead of FollowSymLinks, but at least you won't get a 500 error in the meantime. In fact I think all you need to do is comment out the Options +FollowSymLinks line since Virtualmin enables SymLinksIfOwnerMatch by default.

Hope this helps someone.

Phil McKerracher www.beeches.it

Sun, 07/20/2014 - 14:24
lp86

No, please do NOT do this. Do not purposely disable security features just because they are inconvenient. You are just asking for trouble by doing this! All you need to do is remove the invalid syntax from the htaccess file.

Mon, 07/21/2014 - 07:55
philmck
philmck's picture

Not sure what you mean by "invalid syntax" - I think you meant "forbidden option" or something.

Just to be clear, I'm NOT advocating any change in Webmin/Virtualmin. I was only discussing situations like mine where there's only one user on a VPS.

I think Drupal and Magento should change though - there's no security risk in using SymLinksIfOwnerMatch as far as I know.

Phil McKerracher www.beeches.it

Wed, 08/27/2014 - 03:12
erwindeclerck

I'm not a bash scripter but something like this does the job for me. No error checking, so take care. If someone is skilled enough to make this script more robust, be my guest!

Add this function to your .bashrc or .profile script (I think .bashrc is most appropriate)

function sedsymlinks(){
base="/home/"
public="/public_html"
files="/sites/default/files"
rootpath=$base$1$public/.htaccess
filepath=$base$1$public$files/.htaccess

echo '-------START-------'
echo 'changing .htaccess +FollowSymLinks to +SymLinksIfOwnerMatch in '$rootpath
sed -i -e 's/+FollowSymLinks/+SymLinksIfOwnerMatch/g' $rootpath
head -16 $rootpath
echo '---------0----------'
echo 'changing .htaccess +FollowSymLinks to +SymLinksIfOwnerMatch in '$filepath
sed -i -e 's/+FollowSymLinks/+SymLinksIfOwnerMatch/g' $filepath
head -16 $filepath
echo '---------END--------'
}

To activate your new .profile file run:

source .profile

To change your .htaccess files run:

sedsymlinks NAME_OF_THE_VIRT_HOMEDIR

Kind regards, Erwin

Tue, 08/26/2014 - 13:04
lostandfound

This issue has been floating around for some time. I wanted to draw attention to Apache's viewpoint which is that You should avoid using .htaccess files completely if you have access to httpd main server config file. which can be found at http://httpd.apache.org/docs/current/howto/htaccess.html .

As admins we do have access to the main configuration files so we should be focusing on other solutions, such as using Include which can be found at http://httpd.apache.org/docs/2.4/mod/core.html#include .

I am still getting my head round how to tie everything up properly but using SymLinksIfOwnerMatch with Include in your .conf will be secure and prevent unneeded .htaccess lookups.

Some will be setting up bare bone servers for clients who may not be given configuration access so this will not apply but just wanted to float this to see if any have a solid workflow for setting this up for those who do have configuration access rights..

Sun, 06/07/2015 - 18:41
Francewhoa
Francewhoa's picture

According to Daniel Cid, +FollowSymlinks is a security concern. Attackers who would manage to compromise a confined website can get full root level access to that server.

Steps to reproduce that security concern at https://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-acce...

His proposed resolution is to change to +SymLinksIfOwnerMatch

Virtualmin fixed that security concern since the security announcement: "All existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain's directories." http://www.virtualmin.com/node/24260

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Mon, 06/08/2015 - 19:31
philmck
philmck's picture

I see the Apache documentation for FollowSymLinks and SymLinksIfOwnerMatch says:

"This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable."

(http://httpd.apache.org/docs/2.2/mod/core.html#options)

It still seems a wise precaution to reduce the attack surface though.

There doesn't seem to be any way to selectively ignore .htaccess options and prevent upgrades causing a nasty 500 error, you have to ignore the entire file. As others have said, you can move all the options from .htaccess to httpd.conf. In theory you also get a performance benefit but it's likely to be tiny. However it's not generally possible to just cut and paste them, some mods are probably required.

An example of a modified set of directives for Drupal is here https://www.drupal.org/node/1888588

Magento is a bigger job because there are lots of .htaccess files. There's a converter script on github that may be useful but I haven't tried it yet. https://github.com/preinheimer/htaccessConverter

Phil McKerracher www.beeches.it

Thu, 06/11/2015 - 13:04
Francewhoa
Francewhoa's picture

For all using Drupal. In June 2015 the Drupal security team has reviewed more closely this issue. Their assessment is that there is no security-related issue at all related to Drupal itself using +FollowSymlinks. They agree that switching from +FollowSymlinks to +SymlinksIfOwnerMatch in Drupal core would be a security improvement though. And that can be handled in that public ticket/issue https://www.drupal.org/node/1269780

Any volunteer for a patch to switch Drupal core from +FollowSymlinks to +SymlinksIfOwnerMatch? If easier a patch was submitted a while ago but it needs work and testing. If you're interested to contribute I suggest to reply in the public ticket at https://www.drupal.org/node/1269780

By the way, if you're able to demonstrate that the currently included +FollowSymlinks in Drupal version 6, 7, 8's .htaccess file(s) makes the Drupal installation itself vulnerable to attack, the Drupal security team said they would welcome that and they would want to reopen that issue and handle that privately for security reason. Instructions to report privately are at https://www.drupal.org/node/101494 or https://security.drupal.org

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Wed, 07/22/2015 - 15:49
stefankittel

Hello,

security if fine, but it does not help if it makes system unuseable.

With the default setting you can't even install the most current version of magento. I tried today.

During installation several times the htaccess is overwritten. Puttin +FollowSymLinks in it and stops the installer with a 500. So I change the htaccess and reload the page. The installer detects the crash and starts all over replacing the htaccess. When I set the permission so he can't he stops and reports an permission error.

This happens on each update you install later.

So, until Magento don't changes this I need to go the less secure way to keep the store running at all.

Nope, I don't like it, but there are many things I don't like.

Stefan

Thu, 07/23/2015 - 08:04 (Reply to #23)
philmck
philmck's picture

I have (I think) achieved a reasonably secure Magento installation by changing my Apache conf to allow FollowSymLinks, running the installer and then manually changing all the .htaccess files to SymLinksIfOwnerMatch. Of course, this needs to be repeated for every upgrade. It's a pain but it seems to work.

Phil McKerracher www.beeches.it

Fri, 09/04/2015 - 18:28
colech

Just to make sure everyone knows what needs to change for Magento if you're moving from mod_php to fcgi style hosting... here it is. Note that it's just two simple changes in .htaccess and media/.htaccess.

/home/$USER/public_html/.htaccess

Find the line: Options +FollowSymlinks

And change to: Options +SymLinksIfOwnerMatch

/home/$USER/public_html/media/.htaccess

Find the line: Options All -Indexes

And change to: Options -Indexes

Find the line: Options +FollowSymlinks

And change to: Options +SymLinksIfOwnerMatch

Just so you know, I copied this info from... https://support.terranetwork.net/web/knowledgebase/144/htaccess-restrictions-for-Magento-Installs.html

Tue, 11/10/2015 - 11:30
Francewhoa
Francewhoa's picture

Good news for all using Drupal. A patch has been committed/pushed. This means that issue will be fixed in the next Drupal version 8 release. Yayaya :) Read more at https://www.virtualmin.com/node/24493#comment-156092

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Sun, 02/14/2016 - 07:44 (Reply to #26)
mbr89

Hi,

same problem with Joomla's .htaccess-file (Options +FollowSymlinks).

The line just below this section: 'Options +FollowSymLinks' may cause problems with some server configurations. It is required for use of mod_rewrite, but may already be set by your server administrator in a way that disallows changing it in your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, it has been set by your server administrator and you do not need it set here.

Is this solution still safe?

Thu, 05/03/2018 - 09:59 (Reply to #27)
Rafaweb

Hi

I have the same problem and I did that mbr89 said. Work fine and mode_rewrite Work fine too. But... If safe this option ?

Please comments.....

Thanks in advance.

Rafaweb

Thu, 06/01/2017 - 06:06
xtz

I found this topic, thanks google. I have a webmin server with several websites, one i want to make it with Opencart and i encounter same problems, when i leave options +followsymlinks uncommented i get server 500 errors. When i disable that option i cannot use seo url option for products links. I get some html code errors when i click products when i have seo url activated. I tested Options +SymLinksIfOwnerMatch in htaccess but seems nothing change to website. I still cannot activate seo url. Is there any solution ? It is weird when i activate seo url , when i click a product from category page i get a blank page with text only (no layout of product page), but when i click that product from checkout basket it opens nice with theme layout.

Topic locked