rewrite_confs gets secure_htaccess wrong

interfasys

interfasys

Verified User
Joined
Oct 31, 2003
Messages
1,824
Location
Switzerland
I have this in options.conf
Code: 
secure_htaccess=yes

When running
Code: 
./build rewrite_confs

the wrong symlink was created in
Code: 
/etc/httpd/conf/extra/

CB linked httpd-phpmodules-old.conf instead of httpd-phpmodules-new.conf
 
I think you wanted to mention httpd-directories-new.conf :) We had 2 options in the options.conf file secure_htaccess and harden_symlinks_patch solving the same problem, finally we decided to leave harden_symlinks_patch only, to simplify the options.conf file. If you're missing anything from httpd-directories-old.conf (symlink), please let me know. Thank you!
 
I expected the symlink to go to httpd-directories-new.conf, but it was created to httpd-directories-old.conf despite the fact that I have harden_symlinks_patch=yes in my config.
So, it still sounds like a bug to me.
 
Correct :) Please let me know if you miss anything because of that.
 
smtalk said:
Correct :) Please let me know if you miss anything because of that.
Click to expand...
OK, I have a problem with the removal of that feature then.
Feature #1119 is about both SymLinksIfOwnerMatch and reduced AllowOverride. The patch only takes care of the SymLinksIfOwnerMatch problem.

httpd-directories-old.conf should be updated or an option should be given to be able to user the config with the tightest security.
Something like this
Code: 
<Directory />
	AllowOverride None

	Order Deny,Allow
	Deny from All
</Directory>

<Directory /home>
	AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,IncludesNOEXEC,Indexes,ExecCGI,MultiViews,FollowSymLinks,None
	Options IncludesNoExec Includes ExecCGI FollowSymLinks

	<Limit GET POST OPTIONS PROPFIND>
		Order allow,deny
		Allow from all
	</Limit>
	<LimitExcept GET POST OPTIONS PROPFIND>
		Order deny,allow
		Deny from all
	</LimitExcept>
</Directory>

Include /etc/httpd/conf/extra/httpd-hostname.conf

<Directory /var/www/cgi-bin>
	AllowOverride None
	Options None
	Order allow,deny
	Allow from all
</Directory>
 
Last edited:
This files also needs to be updated
httpd-hostname.conf as it still contains SymLinksIfOwnerMatch

Not a big deal, just cleaner.
 
Removing SymLinksIfOwnerMatch by default may cause a lot of problems for current & new customers having it set in .htaccess (Internal Server Error). So, leaving it there doesn't break security at all, because every instance of apache is patched by default.
 
You must log in or register to reply here.
Back
Top