Security concern
FollowSymlinks does not protect against malicious links into other domain's directories.
Problem/Motivation
My host has tightened up its security settings and now forbids +FollowSymLinks option in .htaccess. This causes an error 500 when accessing the site. When they introduced this policy they automatically converted +FollowSymLinks to +SymLinksIfOwnerMatch. A drupal upgrade overwrote this change.
Affected platforms and systems
- BlueHost
https://my.bluehost.com/cgi/help/search?sort=&search=SymLinksIfOwnerMatch - HostMonster
https://my.hostmonster.com/cgi/help/htaccess - Virtualmin GPL and Virtualmin Pro (versions 3.96 and later)
http://www.virtualmin.com/node/24260
Proposed resolution
Change to +SymLinksIfOwnerMatch in Drupal core. It works just as well (on my host at least) and causes fewer problems. More information on the Sucuri blog at http://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-acces...
Remaining tasks
Tests on other systems by those with more experience than I have.