Hi to all !!, i've created a symlink to /root inside a folder of my website and verifed that i can browse the /root tree using that symlink. Is it normal ? The vhost of the website only has activate: Code: +SymlinksIfOwnerMatch in its .vhost config file but if i upload this .htaccess in that folder: Code: Options Indexes FollowSymLinks AddType text/plain .php AddHandler text/plain .php Satisfy Any I can browe the /root of the system. Should i activate chroot in the website in order to avoid this behaviour ? Is that the only way to protect against symlinks ? Thanks a lot,
As far as I can see, the protection is generally working, but you could override it by .htaccess? Which options can be overridden using a .htaccess file can be configured on the options tab of the website. The field is named 'Allow Override'. A chroot won't help in this special case as it chroots PHP and the way you access the root folder is done by apache. But besides being able to access the root folder (which is only possible as it's world readable), you can't access any files in there that are owned by root and that are not world-readable. So you did not created an ability to access any protected files by this.
Hi, thanks for your reply Till. My goal it is not to find an access to protected files, it's to secure websites as far i can, i'm very worried about this because a recent hack. For to help others, I'm going to change the Default value from "All' to "FileInfo Indexes Options=Indexes" in database and launch a Resync in order to update all websites and avoid the use of .htaccess FollowSymlinks. Also i'm going to change that Default value in System -> Server Config -> Web -> .htaccess AllowOverride from "All" to "FileInfo Indexes Options=Indexes" for new websites. Thanks again Till
