Symlinks patch messes up system

rhm.geerts

Well-Known Member
Jul 29, 2008
133
12
68
Maastricht
cPanel Access Level
Root Administrator
Hello.

I used the option in WHM -> Easyapache to fix the followsymlinks security issue.

However, after that was done, several users had issues.
Several user files are owned by nobody (the apache user), which is logically because they were uploaded or installed using the browser (so not via ftp).

For example if you have a file called birthday.gif it's like:
/home/user/www/images/birthday.gif and owned by apache like:
-rw-rw-rw- 1 nobody nobody 6820 Sep 24 2015 birthday.gif

If you try to call that gif (or any other page or file owned by nobody) directly via the browser like:
userdomain.com/images/birthday.gif you will get a 404 error as if the file does not exist, even if it's publicly readable and writable as in this example. That is wrong.

Do I change the owner to the useraccount like this:
-rw-rw-rw- 1 user user 6820 Sep 24 2015 birthday.gif
then the file will be accessible directly via the browser (as should be) and the site is working correctly again.

Now I could chown all files to the user, but that is not a solution because.
1.) Doing that for all users is a whole bunch of work
2.) When a user uses a browser upload it will be owned by nobody again and problem reoccurs
3.) It should not work this way. When doing a symlink patch, it should prevent the followsymlink option, but it should not generate 404 errors on pages which do exist.

Please help me with a fix for this.

Addition: It's Centos 5, we're not using mod_ruid2, but dso with suphp.
 
Last edited by a moderator: