URGENT - APPEARANCE OF SYMBOLIC LINKS ERROR ?????

HI, ALL OF A SUDDEN, I LOGON TO MY VIRTUALMIN AND RECIEVE:

Virtualmin has detected that 38 domains on your system are configured to allow symbolic links to other users' files. This can be exploited by a domain owner to access configurations files and private data in other virtual servers.

WARNING : Fixing this setting will break all virtual servers that have content or applications under symbolic links to other directories.

WHAT IS THIS ALL ABOUT - WHY IS IT HAPPENING JUST NOW - PLEASE ADVISE URGENTLY AS I HAVE CHANGED NOTHING??

Status: 
Active

Comments

You're seeing the result of a security fix feature that was added in Virtualmin 3.96/3.97.

Until the Virtualmin staff specifically replies to your support request, which should happen soon, you might want to check out the following link, which is one of the numerous requests being made due to this (IMO somewhat unfortunately executed) feature and which contains replies and information:

http://www.virtualmin.com/node/24493

thanks - but this appears to be irreversible - if I click 'Fix' and it stuffs up all my websites - can I put it back again?

No, unfortunately you can't revert the changes automatically, you'll have to do so manually.

The changes are:

"AllowOverride" is modified to forbid "FollowSymlinks". To revert, change it back to "AllowOverride All". In "Options" the parameter "FollowSymlinks" is replaced by "SymlinksIfOwnerMatch". In all .htaccess files, "FollowSymlinks" is replaced by "SymlinksIfOwnerMatch". In domains that use FCGId, the line "php_admin_flag engine off" is added.

Suggestion would be to take a full backup of your domains before applying the fix.

Howdy -- yeah, as Locutus mentioned, there isn't an automated way to reverse or undo the changes. Though you could certainly make a full backup prior to making the changes.

The changes it makes shouldn't cause any issues on most systems... and systems that do have issues, they're usually pretty simple to fix.

The security fix it's correcting is pretty severe, so we'd recommend performing the fixes.

If any of your sites happen to have any issues with that (in most cases they should be fine though!), feel free to post about it here, let us know what you're seeing the the Apache error log (in $HOME/logs/error_log), and we'll help you get that up and running again.

thanks Guys... will give it a go and see what (or if anything) breaks.

Just a suggestion though - it might have been nice to email your virtualmin customers BEFORE hand as obviously this came by surprise for a lot of people and whilst I certainly appreciate fixing potential security breaches a bit of notice would have prevent mild panic on my behalf ! regards steve

I appreciate the updates. Since we have lots of domains over 3 servers, we're inclined to just push the button and hope for the best. My guess is there will be few problems but in case there are, can you provide us with a step by step cheat sheet on backing individual domains out of the fix? We do this stuff late at night and if with the ability to undo the change, we can keep critical resources online and buy time to figure out how to reconfigure and make those domains more secure.

My suggestion would be to update your servers one at a time, which would give you a chance to troubleshoot any issues that happen to come up.

You could also perform a full backup beforehand, just in case.

However, the changes it makes are:

It reviews your Apache config, and changes any references to "FollowSymlinks" to "SymLinksIfOwnerMatch".

It also changes the "AllowOverride" line from "AllowOverride All" to read:

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

It adds this to each Virtual Server:

php_admin_value engine Off

It'll also looks through your .htaccess files (with your permission), and changes "FollowSymlinks" to "SymLinksIfOwnerMatch".

Before reverting anything, I'd highly recommend reviewing the Apache error log in $HOME/logs/error_log, as any issues that come up tend to be simple to fix.

But if need be, you can always undo any of the changes above; you can comment out the "php_admin_value" line, you can change the "AllowOverride" line back to it's original form, and you can change SymLinksIfOwnerMatch back to FollowSymlinks both in the Apache config and in the .htaccess files.

The security issue fixed here is pretty significant, so we'd highly recommend reviewing the error logs and correcting the problem if any issues come up, rather than backing out the changes.