Security concern
FollowSymlinks does not protect against malicious links into other domain's directories
Problem/Motivation
- An increasing number of operating systems and hosts have tightened up their security settings and now forbids
+FollowSymLinksoption in the.htaccessfile that comes with Drupal core. This causes an error 500 when accessing the site. When they introduced this policy they automatically converted+FollowSymLinksto+SymLinksIfOwnerMatch. A Drupal upgrade overwrote this change.
Affected platforms and systems
- Roughly 58% of the most widely use Linux operating system are unable to use a standard Drupal 8 at all. Debian is one of the most widely use operating system. And Ubuntu is based on Debian. Together they are the most widely use Linux operating system. According to W3techs stats roughly 58% of all the websites who use Linux are affected (26.5% + 32.3%).
- BlueHost
https://my.bluehost.com/cgi/help/search?sort=&search=SymLinksIfOwnerMatch - HostMonster
https://my.hostmonster.com/cgi/help/htaccess - Virtualmin GPL and Virtualmin Pro (versions 3.96 and later)
"All existing virtual servers using the FollowSymLinks option will be converted to SymLinksifOwnerMatch, to protect against malicious links into other domain's directories."
http://www.virtualmin.com/node/24260
Proposed resolution
Change to +SymLinksIfOwnerMatch in Drupal core. It works just as well based on current tests and causes fewer problems. More information on the Sucuri blog at http://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-acces...
Contrib module that support SymLinksIfOwnerMatch
Remaining tasks
Tests on other systems by those with more experience than I have
Related issues
- #2106273: Testing patch for +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess - Drupal 6.x - Security
- #2106057: Testing path for +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess - Drupal 7.x - Security
Alleged +FollowSymlinks weakness which leads to security exploits
- According to many webhosts and Linux distributions, they started tightening from
+FollowSymlinksto+SymlinksIfOwnerMatchdue to security exploits.
https://www.drupal.org/node/1269780#comment-9846093 - According to Locutus,
FollowSymlinksis insecure and a potentially serious issue.
https://www.virtualmin.com/node/24493#comment-110641 - According to Daniel Cid,
+FollowSymlinksis a security concern. Drupal 6, 7, and 8 core currently use+FollowSymlinks. Attackers who would manage to compromise a confined Drupal website can get full root level access to that server.
Steps to reproduce the alleged+FollowSymlinksweakness which leads to security exploits. - In June 2015 the Drupal security team has reviewed this issue. Their assessment is that there is no security-related issue here at all. They agree that switching from
+FollowSymlinksto+SymlinksIfOwnerMatchin Drupal core would be a security improvement though. And that can be handled here in this public issue. Any volunteer for a patch?
https://www.drupal.org/node/1269780#comment-10004313 (public issue)
https://security.drupal.org/node/155107 (confidential issue)