Hello, I'm Alessandro Fiorotto of Tophost, a major Italian hosting provider that counts more than 80,000 active domain. I am writing to ask if it is possible that Drupal uses the Apache directive "SymLinksIfOwnerMatch" instead of "FollowSymLink".

This request stems from the fact that the directive "FollowSymLink" is highly unsuitable for a shared hosting. This is because another customer next to my website, could, with a simple symbolic link, see my settings.php file. In fact, if the customer "www.first.com" sees that another client," www.second.com", use Drupal, simply create a symbolic link on its home like the one below in order to see as a normal text file, a PHP file of another site.

lrwxrwxrwx 1 first.com first.com 48 2009-12-03 15:21 seefile.txt -> /home/sites/www.second.com/htdocs/sites/default/settings.php

Using "SymLinksIfOwnerMatch" instead of "FollowSymLink" avoids this problem, but unfortunately I found that Drupal does not work correctly with "SymLinksIfOwnerMatch".

The problem is solved in some way? you can do so you can activate the "clean URL" with "SymLinksIfOwnerMatch"?

Thank you for your attention and good day.

P.S. The Drupal Security Team has cleared this issue to be fixed publicly.

Comments

steff2009’s picture

steff2009 commented

Hello, this is a really critical issue!

I'm one of Tophost clients and, due to the security settings that they recently applied, our site today didn't work and all images, image galleries, etc. were gone.

The host informed us about the problem and gave us directions on how to temporarily solve it, but we had to disable "Clean URLs" and modify .htaccess.

Please try to help as soon as possible.

Thank you.

tophost’s picture

tophost commented

Hi, I edit all Drupal ".htaccess" files and substitute "FollowSymLinks" with "SymLinksIfOwnerMatch".

For example, the file "/sites/default/files/.htaccess" was modified as follows:

BEFORE:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options + FollowSymLinks

AFTER:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options + SymLinksIfOwnerMatch
# Options + FollowSymLinks

Now everything seems ok.

steff2009’s picture

steff2009 commented

In most recent Drupal installation, the main .htaccess (the one that comes with the Drupal installer and goes in the htdocs directory), is already set like this:

# Follow symbolic links in this directory.
#Options +FollowSymLinks

The Rewrite engine must be on:

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on

and with some hosts the Rewrite Base needs to be modified as follows:

# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
  # VirtualDocumentRoot and the rewrite rules are not working properly.
  # For example if your site is at http://example.com/drupal uncomment and
  # modify the following line:
  # RewriteBase /drupal
  #
  # If your site is running in a VirtualDocumentRoot at http://example.com/,
  # uncomment the following line:
  RewriteBase /
fr34ck’s picture

fr34ck commented

Hello, I understand you did it for security reasons, but warn users before, was not a bad idea! ;-)

I saw the site not working without understanding why!?!


I make the changes and now it works fine.

Ciao!

livebrain’s picture

livebrain commented

Well i tried all the way but i am not getting is solved..

I have a website http://miteshfoods.com/shrigandhibakery/
When i hosted this website it was working fine.. and i had used the views rotator for the front page image gallery.

Now the Drupal writes its own .htaccess file but now my hosting company made the changes in the .htaccess file
""FollowSymlinks" with "SymlinkIfOwnerMatch" in .htaccess file." and after this change my website is not working perfectly ...

Can any body have the idea what is the wrong..
I have tried doing changes in the both the .htaccess file 1. at the root and other at sites/default/file/

Please help as ma hosting people are not able to give me the proper solutions..

and if remove this i get 500 Internal server Error

dpearcefl’s picture

dpearcefl commented
Priority: Critical » Normal
Status: Needs work » Postponed (maintainer needs more info)

Do you still need help with this issue?

dpearcefl’s picture

dpearcefl commented
Priority: Normal » Major
Status: Postponed (maintainer needs more info) » Needs work
kars-t’s picture

kars-t commented
Priority: Major » Normal
Status: Needs work » Fixed

Hi

I am closing this issue to clean up the issue queue. Feel free to reopen the issue if there is new information and the problem still resides. If not please make sure you close your issues that you don't need any more.

Maybe you can get support from the local user group. Please take a look at this list at groups.drupal.org.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

francescosciamanna’s picture

francescosciamanna commented
Issue summary: View changes

Hi,
I followed instructions from Tophost at this page and replacing # Options +FollowSymLinks with 

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +SymLinksIfOwnerMatch

working well only for the .htaccess in sites/default/files/. If I do the same for the .htaccess in Drupal root, the site stops working.

What is the correct way to do the job? Do we need to add the same lines to the .htaccess in Drupal root folder?

Thank you in advance for your kind reply