Hi, is there a special reason why it is not allowed for an enduser to set its documentRoot (below /web) in the Interface? In the apache config there are symlinks only allowed for owned files/directory Code: Options +SymlinksIfOwnerMatch so a public -> /etc symlink hack should not be possible. (if AllowOverwride ist not All!) If AllowOverride is All (standard) than a user could do whatever it want with symlinks anyway.. Example: .htaccess a Code: Options FollowSymLinks Options +Indexes and Code: ln -s /etc mytest in his web that would expose the /etc in http://usersite.xx/mytest I think about to do a small patch for User defined DocumentRoot (below /web) - thats why i asking Thanks
No, it's not. You mix up Apache directives FollowSymLinks with SymlinksIfOwnerMatch. ISPConfig uses SymlinksIfOwnerMatch, which means Apache will follow symlinks only where the target is owned by the apache user (www-data) but /etc is owned by root. That you are able to see /etc is caused by you adding "Options FollowSymLinks". The reason why AllowOverride is set to all is that many users had issues with their .htaccess files when we apply strict settings and as they do not have the knowledge to track this down, they simply blame ISPConfig for being a non-working panel and switch to a different CP. So while we would love to use a stricter default for allow override setting, its simply not an option. But the default for this option is fully configurable in ISPConfig under Sysdtem > server config plus it's configurable per website as well, so you as and admin and the person being responsible for the server can set it to whatever value you like. This has been discussed and explained several times here in the forum, even quite recently. Please use the search function if you want to know more. Making this configurable makes attacks easy and allows users to take down the whole apache server with all sites. Btw. FollowSymlinks and a configurable Apache docroot are not related to each other. You as an admin can set a custom docroot for a website easily in ISPConfig on the options tab of the website already. But you must be aware that doing this has security implications and any user with file write access to that site can cause apache to be down.
Thanks for the infos Sorry to stress this topic once more Sure the AllowOverwride All is a Admin Thing (Admin needs to know whats the right Settings for his system) I try to get a solution for my contao clients (without putting it on upstream ) The main problem is the user could delete the folder or link it to somewhere outside. Delete the folder would not a problem anymore (Apache only gives a warning if documentroot is missing) To prevent follow links outside (follow links to root/other owned files) i would set it to this: Code: <Directory /var/www/domain.xx> (or /var/www/clien....) Options +SymlinksIfOwnerMatch AllowOverride none </Directory> and Code: <Directory /var/www/domain.xx/web/$clientchoosendocumentroot> (or /var/www/clien....) Options +SymlinksIfOwnerMatch AllowOverride $systemsettings </Directory> AllowOverrride to something like Code: AllowOverride AuthConfig Indexes Limit Options=Indexes,MultiViews Fileinfo=RewriteEngine,RewriteOptions,RewriteBase,RewriteCond,RewriteRule Think this would be secure or I'm missing something?