.htaccess: Option FollowSymLinks not allowed here

27 posts / 0 new
Last post
#1 Mon, 12/31/2012 - 13:21

.htaccess: Option FollowSymLinks not allowed here

I have defined the apache template with the following for the directory specific:

<Directory ${HOME}/public_html>
  Options -Indexes +IncludesNOEXEC +FollowSymLinks
  allow from all
  AllowOverride All

But everytime when I create a new virtual server, the AllowOverride All gets appended with the following result:

<Directory /home/test/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
  allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/test/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/test/fcgi-bin/php5.fcgi .php5

How can I remove Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch from being automatically added? This causes error 500 with the following error:

.htaccess: Option FollowSymLinks not allowed here

Mon, 12/31/2012 - 13:32

Actually you should not prevent those Options from being added, since they are part of a security fix that could cause all your websites to be compromised if one of them gets hacked.

Mon, 12/31/2012 - 21:41

Then is there anyway to alter the options that are being added? Because it doesn't work well with the Options used in .htaccess which Drupal needs it.

Also, I just realized that the whole directive in the directory is being altered. I'm having trouble to find the file that's causing the alteration :(

Tue, 01/01/2013 - 10:54

I've just found out that there are other forum posts similar to this, after I used the correct keyword to search.

I guess this seems to be a huge fix to the security hole for FollowSymlinks. In fact, there is a discussion going on in Drupal to change FollowSymLinks to SymLinksifOwnerMatch: http://drupal.org/node/1269780

For those who are hosting your current clients, you can easily update the .htaccess for them to use SymLinksIfOwnerMatch by executing the following bash command:

find /home -name ".htaccess" -type f -exec sed -i 's/FollowSymLinks/SymLinksIfOwnerMatch/g' {} ";"

Do backup your files first before you perform this, just in case something goes wrong :)

Will be updating the post title for better understanding on the issue.

Fri, 01/18/2013 - 15:59

I too am having this issue, no matter what I put in the apache directives, virtualmin appends the same line as the OP posts.

It will also append this line if a backup is restored... incredibly irritating...

Fri, 01/18/2013 - 16:00

oh and by the way, some websites do not work with SymLinksIfOwnerMatch - namely, magento. It REQUIRES FollowSymLinks to function properly...

this current behaviour is creating a nightmare for me

Fri, 01/18/2013 - 17:03
tpnsolutions's picture


As already mentioned, the change was part of a patch release of Virtualmin recently. It is not recommended to use FollowSymLinks. While I understand that some scripts dont' work with the recommended, secure method, it may be better to contact the developer of the scripts and ask them to adjust their scripts to help them to enforce better security measures, rather than working on a way to make your system less secure. Though, I do understand that it is a bummer if you are using scripts which don't work quite right with the currently enforced settings.

*** Generally speaking, SymLinksIfOwnerMatch won't be a problem if you have a dedicated copy of a script and related files within the domain's directory and therefore not Symbolically linked. ***

Best Regards,
Peter Knowles
TPN Solutions

E: pknowles@tpnsolutions.com
P: 604-782-9342
W: http://www.tpnsolutions.com
Best Regards,
Peter Knowles
TPN Solutions

Email: pknowles@tpnsolutions.com
Skype: tpnassist
Fri, 01/18/2013 - 17:03

Magento works with SymLinksIfOwnerMatch, you just need to update the Magento .htaccess files to use that rather than FollowSymLinks.

Any Virtualmin site that uses FollowSymLinks can be exploited to allow that user to read all files in /home. That was creating a nightmare of a different sort :-)

To solve the issue you're seeing, I'd recommend just updating Magento's .htaccess files.

However, if you don't wish to do that, and you are okay with the security issues that exist, you can always prevent Virtualmin from applying that fix in the future by editing the file /etc/webmin/virtual-server/config and adding the line allow_symlinks=1 to the end of the file.


Sun, 04/14/2013 - 09:18


I have a Magento website and I use the best panel: Virtualmin! I do not want to change it, but as you know Virtualmin doesn't work (500 ERROR) with FollowSymLinks which is in the .htaccess ;(

I know, I can change it to: SymLinksIfOwnerMatch, but there as some security issues ;( Do security issues affect a website or Virtualmin?

I have a dedicated server with 1 admin only, so the others can not log in into Virtualmin panel.

The most important think is having a secured Magento.

What should I do: Should I change option into: SymLinksIfOwnerMatch or change Virtualmin.....

Please advice

Sun, 04/14/2013 - 21:46

Virtualmin doesn't work (500 ERROR) with FollowSymLinks which is in the .htaccess

Well, Virtualmin configures Apache not to allow that, as allowing it enables users on your system to be able to read any files in /home.

I know, I can change it to: SymLinksIfOwnerMatch, but there as some security issues ;( Do security issues affect a website or Virtualmin?

I would highly recommend changing the htaccess file to "SymLinksIfOwnerMatch", I'm not aware of any security issues with that. It's actually the other way around, not using that is a huge security issue.

You can disable this security fix if you want, though that's not something I'd recommend.

It may not matter as much though if all the users on your system are trusted.


Thu, 05/16/2013 - 15:32

Had the same issue with Virtualmin. In my case it worked by changing to SymLinksIfOwnerMatch...

Sun, 07/21/2013 - 14:32

find /home -name ".htaccess" -type f -exec sed -i 's/FollowSymLinks/SymLinksIfOwnerMatch/g' {} ";"

Solved it for me

Sun, 06/07/2015 - 17:19
Francewhoa's picture

aerozeppelin solution worked. Thanks :)

- - -
Loving back your community result in multiple benefits for you

Fri, 07/18/2014 - 10:23

If anyone's still struggling with this, I think I've found a better solution, at least for my situation.

I'm using Virtualmin to manage a VPS that contains several sites, all owned by me or my friends. I use a variety of common content management systems, including Drupal and Magento, both of which try to enable FollowSymLinks in their .htaccess files. Whenever these CMS systems are updated (e.g. using Drush or Magento Connect Manager), my sites stop working with an unhelpful 500 error until I remember that I have to hack the .htaccess files each time.

In my humble opinion, both Drupal and Magento should be fixed to use SymLinksIfOwnerMatch instead. Appropriate bugs/enhancement requests exist for both platforms but don't hold your breath waiting for a resolution.

Meanwhile I investigated the "security vulnerability" that would be caused by enabling FollowSymLinks for these domains on my VPS and it doesn't seem to be too serious. Basically it means one hacked user might be able to access another's files, which would be very bad on shared hosting but not so bad on a VPS owned by one person. So I want to override the Virtualmin behaviour for the affected domains.

The way I found to do this is to go to Services > Configure Website > Edit Directives for the Virtualmin domain in question, find the line that says "AllowOverride All Options=..." under Directory /home/[domain]/public_html and add FollowSymLinks to the end of the list of options so it becomes AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks

It's still a good idea to change a newly-updated .htaccess file for Drupal or Magento to enable SymLinksIfOwnerMatch instead of FollowSymLinks, but at least you won't get a 500 error in the meantime. In fact I think all you need to do is comment out the Options +FollowSymLinks line since Virtualmin enables SymLinksIfOwnerMatch by default.

Hope this helps someone.

Sun, 07/20/2014 - 14:24

No, please do NOT do this. Do not purposely disable security features just because they are inconvenient. You are just asking for trouble by doing this! All you need to do is remove the invalid syntax from the htaccess file.

Mon, 07/21/2014 - 07:55

Not sure what you mean by "invalid syntax" - I think you meant "forbidden option" or something.

Just to be clear, I'm NOT advocating any change in Webmin/Virtualmin. I was only discussing situations like mine where there's only one user on a VPS.

I think Drupal and Magento should change though - there's no security risk in using SymLinksIfOwnerMatch as far as I know.

Wed, 08/27/2014 - 03:12

I'm not a bash scripter but something like this does the job for me. No error checking, so take care. If someone is skilled enough to make this script more robust, be my guest!

Add this function to your .bashrc or .profile script (I think .bashrc is most appropriate)

function sedsymlinks(){

echo '-------START-------'
echo 'changing .htaccess +FollowSymLinks to +SymLinksIfOwnerMatch in '$rootpath
sed -i -e 's/+FollowSymLinks/+SymLinksIfOwnerMatch/g' $rootpath
head -16 $rootpath
echo '---------0----------'
echo 'changing .htaccess +FollowSymLinks to +SymLinksIfOwnerMatch in '$filepath
sed -i -e 's/+FollowSymLinks/+SymLinksIfOwnerMatch/g' $filepath
head -16 $filepath
echo '---------END--------'

To activate your new .profile file run:

source .profile

To change your .htaccess files run:


Kind regards, Erwin

Tue, 08/26/2014 - 13:04

This issue has been floating around for some time. I wanted to draw attention to Apache's viewpoint which is that You should avoid using .htaccess files completely if you have access to httpd main server config file. which can be found at http://httpd.apache.org/docs/current/howto/htaccess.html .

As admins we do have access to the main configuration files so we should be focusing on other solutions, such as using Include which can be found at http://httpd.apache.org/docs/2.4/mod/core.html#include .

I am still getting my head round how to tie everything up properly but using SymLinksIfOwnerMatch with Include in your .conf will be secure and prevent unneeded .htaccess lookups.

Some will be setting up bare bone servers for clients who may not be given configuration access so this will not apply but just wanted to float this to see if any have a solid workflow for setting this up for those who do have configuration access rights..

Sun, 06/07/2015 - 18:41
Francewhoa's picture

According to Daniel Cid, +FollowSymlinks is a security concern. Attackers who would manage to compromise a confined website can get full root level access to that server.

Steps to reproduce that security concern at https://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-acce...

His proposed resolution is to change to +SymLinksIfOwnerMatch

Virtualmin fixed that security concern since the security announcement: "All existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain's directories." http://www.virtualmin.com/node/24260

- - -
Loving back your community result in multiple benefits for you

Mon, 06/08/2015 - 19:31

I see the Apache documentation for FollowSymLinks and SymLinksIfOwnerMatch says:

"This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable."


It still seems a wise precaution to reduce the attack surface though.

There doesn't seem to be any way to selectively ignore .htaccess options and prevent upgrades causing a nasty 500 error, you have to ignore the entire file. As others have said, you can move all the options from .htaccess to httpd.conf. In theory you also get a performance benefit but it's likely to be tiny. However it's not generally possible to just cut and paste them, some mods are probably required.

An example of a modified set of directives for Drupal is here https://www.drupal.org/node/1888588

Magento is a bigger job because there are lots of .htaccess files. There's a converter script on github that may be useful but I haven't tried it yet. https://github.com/preinheimer/htaccessConverter

Thu, 06/11/2015 - 13:04
Francewhoa's picture

For all using Drupal. In June 2015 the Drupal security team has reviewed more closely this issue. Their assessment is that there is no security-related issue at all related to Drupal itself using +FollowSymlinks. They agree that switching from +FollowSymlinks to +SymlinksIfOwnerMatch in Drupal core would be a security improvement though. And that can be handled in that public ticket/issue https://www.drupal.org/node/1269780

Any volunteer for a patch to switch Drupal core from +FollowSymlinks to +SymlinksIfOwnerMatch? If easier a patch was submitted a while ago but it needs work and testing. If you're interested to contribute I suggest to reply in the public ticket at https://www.drupal.org/node/1269780

By the way, if you're able to demonstrate that the currently included +FollowSymlinks in Drupal version 6, 7, 8's .htaccess file(s) makes the Drupal installation itself vulnerable to attack, the Drupal security team said they would welcome that and they would want to reopen that issue and handle that privately for security reason. Instructions to report privately are at https://www.drupal.org/node/101494 or https://security.drupal.org

- - -
Loving back your community result in multiple benefits for you

Wed, 07/22/2015 - 15:49


security if fine, but it does not help if it makes system unuseable.

With the default setting you can't even install the most current version of magento. I tried today.

During installation several times the htaccess is overwritten. Puttin +FollowSymLinks in it and stops the installer with a 500. So I change the htaccess and reload the page. The installer detects the crash and starts all over replacing the htaccess. When I set the permission so he can't he stops and reports an permission error.

This happens on each update you install later.

So, until Magento don't changes this I need to go the less secure way to keep the store running at all.

Nope, I don't like it, but there are many things I don't like.


Thu, 07/23/2015 - 08:04 (Reply to #22)

I have (I think) achieved a reasonably secure Magento installation by changing my Apache conf to allow FollowSymLinks, running the installer and then manually changing all the .htaccess files to SymLinksIfOwnerMatch. Of course, this needs to be repeated for every upgrade. It's a pain but it seems to work.

Fri, 09/04/2015 - 18:28

Just to make sure everyone knows what needs to change for Magento if you're moving from mod_php to fcgi style hosting... here it is. Note that it's just two simple changes in .htaccess and media/.htaccess.


Find the line: Options +FollowSymlinks

And change to: Options +SymLinksIfOwnerMatch


Find the line: Options All -Indexes

And change to: Options -Indexes

Find the line: Options +FollowSymlinks

And change to: Options +SymLinksIfOwnerMatch

Just so you know, I copied this info from... https://support.terranetwork.net/web/knowledgebase/144/htaccess-restrictions-for-Magento-Installs.html

Tue, 11/10/2015 - 11:30
Francewhoa's picture

Good news for all using Drupal. A patch has been committed/pushed. This means that issue will be fixed in the next Drupal version 8 release. Yayaya :) Read more at https://www.virtualmin.com/node/24493#comment-156092

- - -
Loving back your community result in multiple benefits for you

Sun, 02/14/2016 - 07:44 (Reply to #25)


same problem with Joomla's .htaccess-file (Options +FollowSymlinks).

The line just below this section: 'Options +FollowSymLinks' may cause problems with some server configurations. It is required for use of mod_rewrite, but may already be set by your server administrator in a way that disallows changing it in your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, it has been set by your server administrator and you do not need it set here.

Is this solution still safe?

Thu, 06/01/2017 - 06:06

I found this topic, thanks google. I have a webmin server with several websites, one i want to make it with Opencart and i encounter same problems, when i leave options +followsymlinks uncommented i get server 500 errors. When i disable that option i cannot use seo url option for products links. I get some html code errors when i click products when i have seo url activated. I tested Options +SymLinksIfOwnerMatch in htaccess but seems nothing change to website. I still cannot activate seo url. Is there any solution ? It is weird when i activate seo url , when i click a product from category page i get a blank page with text only (no layout of product page), but when i click that product from checkout basket it opens nice with theme layout.