Reason for disallow user to set own documentRoot under /web (apache)

Discussion in 'Developers' Forum' started by Hannes_at, Dec 11, 2023.

  1. Hannes_at

    Hannes_at New Member

    Hi,
    is there a special reason why it is not allowed for an enduser to set its documentRoot (below /web) in the Interface?

    In the apache config there are symlinks only allowed for owned files/directory
    Code:
    Options +SymlinksIfOwnerMatch
    so a public -> /etc symlink hack
    should not be possible. (if AllowOverwride ist not All!)

    If AllowOverride is All (standard) than a user could do whatever it want with symlinks anyway..

    Example:
    .htaccess a
    Code:
    Options FollowSymLinks
    Options +Indexes
    
    and
    Code:
    ln -s /etc mytest 
    in his web
    that would expose the /etc in http://usersite.xx/mytest

    I think about to do a small patch for User defined DocumentRoot (below /web) - thats why i asking :)

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, it's not. You mix up Apache directives FollowSymLinks with SymlinksIfOwnerMatch. ISPConfig uses SymlinksIfOwnerMatch, which means Apache will follow symlinks only where the target is owned by the apache user (www-data) but /etc is owned by root.

    That you are able to see /etc is caused by you adding "Options FollowSymLinks". The reason why AllowOverride is set to all is that many users had issues with their .htaccess files when we apply strict settings and as they do not have the knowledge to track this down, they simply blame ISPConfig for being a non-working panel and switch to a different CP. So while we would love to use a stricter default for allow override setting, its simply not an option. But the default for this option is fully configurable in ISPConfig under Sysdtem > server config plus it's configurable per website as well, so you as and admin and the person being responsible for the server can set it to whatever value you like.

    This has been discussed and explained several times here in the forum, even quite recently. Please use the search function if you want to know more. Making this configurable makes attacks easy and allows users to take down the whole apache server with all sites.

    Btw. FollowSymlinks and a configurable Apache docroot are not related to each other. You as an admin can set a custom docroot for a website easily in ISPConfig on the options tab of the website already. But you must be aware that doing this has security implications and any user with file write access to that site can cause apache to be down.
     
    Last edited: Dec 11, 2023
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. Hannes_at

    Hannes_at New Member

    Thanks for the infos

    Sorry to stress this topic once more

    Sure the AllowOverwride All is a Admin Thing (Admin needs to know whats the right Settings for his system)

    I try to get a solution for my contao clients (without putting it on upstream )

    The main problem is the user could delete the folder or link it to somewhere outside.

    Delete the folder would not a problem anymore (Apache only gives a warning if documentroot is missing)

    To prevent follow links outside (follow links to root/other owned files) i would set it to this:
    Code:
    <Directory /var/www/domain.xx> (or /var/www/clien....)
    Options +SymlinksIfOwnerMatch
    AllowOverride none
    </Directory>
    and
    Code:
    <Directory /var/www/domain.xx/web/$clientchoosendocumentroot> (or /var/www/clien....)
    Options +SymlinksIfOwnerMatch
    AllowOverride $systemsettings
    </Directory>
    AllowOverrride to something like
    Code:
    AllowOverride AuthConfig Indexes Limit Options=Indexes,MultiViews Fileinfo=RewriteEngine,RewriteOptions,RewriteBase,RewriteCond,RewriteRule
    Think this would be secure or I'm missing something?
     

Share This Page