additional line inserted into apache template

Hello,

I have modified my apache template in a custom template. The line now reads:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks,SymLinksIfOwnerMatch

However, when I create a site with this template, the line becomes:

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks,SymLinksIfOwnerMatch Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

Status: 
Closed (fixed)

Comments

Hmm, I'm not sure if this is the cause of the issue or not, but perhaps we can tackle another angle of that first.

These two parameters may be conflicting:

FollowSymlinks,SymLinksIfOwnerMatch

One says to always allow symlink following, and the other says to only allow it if the owners of the symlinks match.

We would actually highly recommend only using the later, SymLinksIfOwnerMatch, as using FollowSymlinks allows for a pretty serious security issue, where users can trick Apache into reading files belonging to other users.

However, if you're sure you want FollowSymlinks, in spite of the potential security issue, you'd probably want to remove SymLinksIfOwnerMatch from the list.

Hello Andreychek, et al,

I have altered the line as suggested in the server_template to read:

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks

but when I create another domain, this line still becomes:

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks \
Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

So to recap: my server_template apache website directives reads:

ServerName ${DOM}
ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory ${HOME}/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks
</Directory>
<Directory ${HOME}/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Redirect /phpmyadmin http://localhost:6080/phpmyadmin
Redirect /virtualmin https://localhost:10000

And the apache configuration file generated becomes:

<VirtualHost *:80>
   SuexecUserGroup "#1015" "#1014"
   ServerName artcfa.com
   ServerAlias www.artcfa.com
   DocumentRoot /home/artcfa_ftp/public_html
   ErrorLog /var/log/virtualmin/artcfa.com_error_log
   CustomLog /var/log/virtualmin/artcfa.com_access_log combined
   ScriptAlias /cgi-bin/ /home/artcfa_ftp/cgi-bin/
   ScriptAlias /awstats/ /home/artcfa_ftp/cgi-bin/
   DirectoryIndex index.html index.htm index.php index.php4 index.php5
   <Directory /home/artcfa_ftp/public_html>
      Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
      allow from all
      AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
      AddType application/x-httpd-php .php
      AddHandler fcgid-script .php
      AddHandler fcgid-script .php5
      FCGIWrapper /home/artcfa_ftp/fcgi-bin/php5.fcgi .php
      FCGIWrapper /home/artcfa_ftp/fcgi-bin/php5.fcgi .php5
   </Directory>
   <Directory /home/artcfa_ftp/cgi-bin>
      allow from all
      AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
   </Directory>
   Redirect /phpmyadmin http://localhost:6080/phpmyadmin
   Redirect /virtualmin https://localhost:10000
   RemoveHandler .php
   RemoveHandler .php5
   php_admin_value engine Off
   IPCCommTimeout 31
   FcgidMaxRequestLen 1073741824
   <Files awstats.pl>
      AuthName "artcfa.com statistics"
      AuthType Basic
      AuthUserFile /home/artcfa_ftp/.awstats-htpasswd
      require valid-user
   </Files>
</VirtualHost>

Ok, I see the bug here - VIrtualmin is trying to correct your template to ensure that safe options are allowed, but is doing it wrong. I will fix this in the next release, but you can work around it by editing the Apache config template and changing the AllowOverride line to :

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

Interesting: your suggestion puts me back at the original settings. That's fine for now.

There will be cases where I would like to symlink to common items, rather than repeat them in the filesystem. If Virtualmin is always trying to correct it to be more secure, how do I get virtualmin to not do this in certain cases?

I probably should describe how I am using virtualmin for clarity: I run a number of sites on behalf of some clients. They do not manage their sites. I have created a reseller account for my developers so they may edit/create sites under the one login, but still have sites operating in their own sandboxes.

I know I can modify the apache configurations after site creation, but I am trying to have it so my non-systems-aware developers can generate sites without my intervention.

Also a question: when I open a bug report, is it incumbent upon me to mark it resolved, or closed?

Thank you in advance...

--jason

If you really want to use symlinks, you can edit /etc/webmin/virtual-server/config and add the line allow_symlinks=1

Regarding the bug status, once you're happy with the resolution you can change it to "closed"

Thanks! Both of those answer my questions!

--jason