2

What is the security problem to use Options FollowSymLinks in the Apache configuration?

We use the following configuration:

AllowOverride None
Options None FollowSymLinks
Michael
  • 1,479
  • 1
  • 18
  • 37

1 Answers1

4

If you enable following of symbolic links, and an attacker gains access to something allowing him to create arbitrary files on your webserver, he could then create symbolic links to any file on your system (e.g. /etc/passwd, configurations files of databases, ...)

M'vy
  • 13,053
  • 3
  • 49
  • 70
  • Therefore the severity of the problem can not be high: "an attacker gains access to something allowing him to create arbitrary files on your webserver" – Michael May 22 '17 at 11:07
  • Depends what you define as 'high'. Having access to the password file could lead the attacker to gain access to the machine, having the database password can allow him to delete all your records. It does not qualifies as 'low risk' to me. – M'vy May 22 '17 at 11:27
  • I agree with you. I mean the initial access is not simple. – Michael May 22 '17 at 11:36
  • Its relatively easy to make a mistake that allow it. – M'vy May 22 '17 at 11:59
  • So should you or should you not use this directive – Samuel Owino Oct 07 '20 at 16:42
  • There is no do or don't. It will depend on your context, what you need and if you can afford taking the risk described in the answer. I'd advise to not use it unless absolutely necessary. Current we server allows to specify arbitrary sets of directory to serve files, so the need for symlinks should generally be non existent. – M'vy Oct 15 '20 at 23:28