Fix access to other users files from Apache - FollowSymLinks vs. SymLinksIfOwnerMatch

[Jay M]

Hi

Sorry for opening such an old posting, but I have exactly the same problem and I guess nearly everybody here has the same problem. Hacker can create symlinks to config files of other users and get mysql login details like this. Did someone find a solution for this security problem without loosing the functionality of Joomla and other cms systems?

Install this - http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p4.html#post996441

[brianoz]

The link posted above is the solution. It forces all FollowSymLink settings to be SymLinkIfOwnerMatches. The patch is to EasyApache so that the setting change is compiled into Apache and can't be overridden from .htaccess.

As someone else says in that thread, this is becoming really widespread; cPanel hope you don't mind me saying that it's time you took notice and came up with a decent solution.

[cPanelTristan]

Hello brianoz,

Please post a feature request if you feel that this is something that needs to be revised or added. You can use Feature Requests for cPanel/WHM to post your own feature request.

Thanks!

[rs-freddo]

Have to bump this, on a server with suphp this should not be happening. Now I have to go change mysql passwords for a bunch of accounts

[SoftDux]

Have to bump this, on a server with suphp this should not be happening. Now I have to go change mysql passwords for a bunch of accounts

Why do you need to change the MySQL passwords?

[rs-freddo]

Why do you need to change the MySQL passwords?

Because a hacker broke into one account and read the mysql passwords for other accounts from their config files.