This sort of protection will not help with incorrectly or maliciously placed symbolic links that point outside the /var/www/htdocs web server root. System users could create symbolic links to resources they do not own. If someone creates such a link and the web server can read the resource, it will accept a request to serve the resource to the public. Symbolic link usage and other file access restrictions are controlled with the Options directive (inside a <Directory> directive). The Optionsdirective can have one or more of the following values:
The following configuration directive will disable symbolic link usage in Apache:
The minus sign before the option name instructs Apache to keep the existing configuration and disable the listed option. The plus character is used to add an option to an existing configuration.
If you need symbolic links consider using theAlias directive, which tells Apache to incorporate an external folder into the web server tree. It serves the same purpose but is more secure. For example, it is used in the default configuration to allow access to the Apache manual:
Alias /manual/ /usr/local/apache/manual/
If you want to keep symbolic links, it is advisable to turn ownership verification on by setting theSymLinksIfOwnerMatchoption. After this change, Apache will follow symbolic links if the target and the destination belong to the same user:
Options -FollowSymLinks +SymLinksIfOwnerMatch
Other features you do not want to allow include the ability to have scripts and server-side includes executed anywhere in the web server tree. Scripts should always be placed in special folders, where they can be monitored and controlled.
Options -Includes -ExecCGI
If you do not intend to use content negotiation (to have Apache choose a file to serve based on the client’s language preference), you can (and should) turn all of these features off in one go:
blog comments powered by Disqus