httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lazy <>
Subject Re: [patch] Fix cross-user symlink race condition vulnerability
Date Sun, 04 Nov 2012 23:18:43 GMT
2012/10/31 Eric Jacobs <>:
> On 10/31/2012 06:00 AM, Eric Covener wrote:
>> In general that is the proper form -- but this particular issue is
>> documented as a limitation:
>> "Omitting this option should not be considered a security restriction,
>> since symlink testing is subject to race conditions that make it
>> circumventable."
> Some users (like Bluehost) require the functionality of symlinks without the
> possibility of server side vulnerabilities. Having the vulnerability
> documented doesn't keep servers safe. The patch I submitted allows httpd to
> use symlinks in a protected fashion that doesn't allow for users to serve
> arbitrary files.
> I'll go ahead and submit a more detailed email to the security. More
> feedback from the devs is appreciated.

on some systems, at least on Linux You can use a grsecurity kernel
patch feature which prevents those races
and is cheeper performance wise

+       bool "Kernel-enforced SymlinksIfOwnerMatch"
+       help
+         Apache's SymlinksIfOwnerMatch option has an inherent race condition
+         that prevents it from being used as a security feature.  As Apache
+         verifies the symlink by performing a stat() against the target of
+         the symlink before it is followed, an attacker can setup a symlink
+         to point to a same-owned file, then replace the symlink with one
+         that targets another user's file just after Apache "validates" the
+         symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+         race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+         will be in place for the group you specify. If the sysctl option
+         is enabled, a sysctl option with name "enforce_symlinksifowner" is
+         created.

there probably is something similar on *BSD's, or if there isn't it
won't be hard to make

Your patch checks for a race conditions every time, even if Symlinks
weren't allowed. It also references some
configuration dependent directory like /usr/local/apache/htdocs.

Michal Grzedzicki

View raw message