0

I would like to disable FollowSymLinks and SymLinksIfOwnerMatch options, but at the same time I do want to use mod_rewrite.

I checked the source code of apache 2.4 and I found there is only a condition that does not allow RewriteEngine On, when the directory does not have FollowSymLinks nor SymLinksIfOwnerMatch option. The condition in the source code:

https://github.com/apache/httpd/blob/daab261403aaf98ed31e832c58763609820f1fdd/modules/mappers/mod_rewrite.c#L4945

I guess it is not so simple to just delete the condition from the source code, I think there must be some reason for the condition. Does anybody know what is the reason?

Jenicek
  • 1
  • The reason is given in the source code: "due to its similar ability to circumvent directory restrictions." Deleting the check won't be too hard, but the check is there for a reason: with those options disabled, the module won't work. – Tommiie Mar 14 '19 at 09:20
  • When Options FollowSymLinks is set, it is sufficient that user creates a link to /etc/passwd (for example): ln -s /etc/passwd test.txt and then the user can see the content of the passwd file when accesses test.txt in internet browser. – Jenicek Mar 18 '19 at 14:34
  • 1
    When Options SymLinksIfOwnerMatch is set, you cannot access /etc/passwd so easily, because /etc/passwd is owned by root, but the owner of the symlink is some different user. But the user can make a script that will periodically change the test.txt, one time it will be symlink to /etc/passwd, second time a normal file. When apache makes check on test.txt when it is a normal file, it finds out that it is a normal file and it will access the file (and at this moment it will be symlink to /ec/passwd) and it will show the content of /etc/passwd when accessing by browser. – Jenicek Mar 18 '19 at 14:35
  • So here you see how both directives can be used to access any file on the filesystem that is readable for the user (under which is running apache). So my question is what is the concrete way how to circumvent directory restrictions in mod_rewrite? – Jenicek Mar 18 '19 at 14:38

0 Answers0