Submitted by Jason at eROI on Fri, 03/13/2015 - 13:34 Pro Licensee
Hello,
I have modified my apache template in a custom template. The line now reads:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks,SymLinksIfOwnerMatch
However, when I create a site with this template, the line becomes:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks,SymLinksIfOwnerMatch Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Status:
Closed (fixed)
Comments
Submitted by andreychek on Fri, 03/13/2015 - 13:46 Comment #1
Hmm, I'm not sure if this is the cause of the issue or not, but perhaps we can tackle another angle of that first.
These two parameters may be conflicting:
FollowSymlinks,SymLinksIfOwnerMatchOne says to always allow symlink following, and the other says to only allow it if the owners of the symlinks match.
We would actually highly recommend only using the later, SymLinksIfOwnerMatch, as using FollowSymlinks allows for a pretty serious security issue, where users can trick Apache into reading files belonging to other users.
However, if you're sure you want FollowSymlinks, in spite of the potential security issue, you'd probably want to remove SymLinksIfOwnerMatch from the list.
Submitted by Jason at eROI on Wed, 03/18/2015 - 14:52 Pro Licensee Comment #2
Hello Andreychek, et al,
I have altered the line as suggested in the server_template to read:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinksbut when I create another domain, this line still becomes:
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks \Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
So to recap: my server_template apache website directives reads:
ServerName ${DOM}ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory ${HOME}/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks
</Directory>
<Directory ${HOME}/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Redirect /phpmyadmin http://localhost:6080/phpmyadmin
Redirect /virtualmin https://localhost:10000
And the apache configuration file generated becomes:
<VirtualHost *:80>SuexecUserGroup "#1015" "#1014"
ServerName artcfa.com
ServerAlias www.artcfa.com
DocumentRoot /home/artcfa_ftp/public_html
ErrorLog /var/log/virtualmin/artcfa.com_error_log
CustomLog /var/log/virtualmin/artcfa.com_access_log combined
ScriptAlias /cgi-bin/ /home/artcfa_ftp/cgi-bin/
ScriptAlias /awstats/ /home/artcfa_ftp/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/artcfa_ftp/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymlinks Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/artcfa_ftp/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/artcfa_ftp/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/artcfa_ftp/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Redirect /phpmyadmin http://localhost:6080/phpmyadmin
Redirect /virtualmin https://localhost:10000
RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
<Files awstats.pl>
AuthName "artcfa.com statistics"
AuthType Basic
AuthUserFile /home/artcfa_ftp/.awstats-htpasswd
require valid-user
</Files>
</VirtualHost>
Submitted by JamieCameron on Wed, 03/18/2015 - 15:20 Comment #3
Ok, I see the bug here - VIrtualmin is trying to correct your template to ensure that safe options are allowed, but is doing it wrong. I will fix this in the next release, but you can work around it by editing the Apache config template and changing the
AllowOverrideline to :AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatchSubmitted by Jason at eROI on Wed, 03/25/2015 - 12:23 Pro Licensee Comment #4
Interesting: your suggestion puts me back at the original settings. That's fine for now.
There will be cases where I would like to symlink to common items, rather than repeat them in the filesystem. If Virtualmin is always trying to correct it to be more secure, how do I get virtualmin to not do this in certain cases?
I probably should describe how I am using virtualmin for clarity: I run a number of sites on behalf of some clients. They do not manage their sites. I have created a reseller account for my developers so they may edit/create sites under the one login, but still have sites operating in their own sandboxes.
I know I can modify the apache configurations after site creation, but I am trying to have it so my non-systems-aware developers can generate sites without my intervention.
Also a question: when I open a bug report, is it incumbent upon me to mark it resolved, or closed?
Thank you in advance...
--jason
Submitted by JamieCameron on Wed, 03/25/2015 - 12:34 Comment #5
If you really want to use symlinks, you can edit
/etc/webmin/virtual-server/configand add the lineallow_symlinks=1Regarding the bug status, once you're happy with the resolution you can change it to "closed"
Submitted by Jason at eROI on Fri, 03/27/2015 - 10:42 Pro Licensee Comment #6
Thanks! Both of those answer my questions!
--jason