Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Friday, 01 March 2013 12:22 CST
Hi, it would be great if your htaccess maker could also support SymLinksIfOwnerMatch.
Background:
The ability to FollowSymlinks is considered very unsafe in shared hosting and usually disabled (although some hosts patch Apache to "map" FollowSymlinks to SymLinksIfOwnerMatch internally).
But not a very high priority :-)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
I agree Symlinks is not a good idea, but since the htaccess maker offers that option it would make sense to also offer the "safer" option (which doesn't have any security issues, and is usually enabled on hosts).
Regarding PHP. Php is typically run as "the user", which doesn't have any "global" permissions. However the Apache user needs to access static files such as images, but since it is typically not run as "the user", Apache needs to be added to "the user" group in order to access files in users home folder (and then "follow symlinks if user doesn't match" is really fun).
Again not a big deal, since nobody has rmentioned it yet.
That's what I'm saying. Images and other static files / folders with static files should not be symlinked. It's a security hole. Imagine this:
/home/username/private
/home/username/public_html
What happens if an attacker symlinks /home/username/public_html/private to /home/username/private? Disaster.
With PHP I can at least do open_basedirs=/home/username/public_html (mind no trailing slash) and I'm set.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Yes, exactly. And followsysmlinks is usually on hosting (but SymLinksIfOwnerMatch not), and I was thinking whether it would make sense to offer that option as well? not a high priority, of course
I would rather not.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!