Bug 1006640

Summary: [ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Product: Red Hat Enterprise Linux 5 Reporter: Yukihiko Sawanobori <sawanoboriyu>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.10CC: jorton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 07:16:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yukihiko Sawanobori 2013-09-11 01:44:01 UTC 
Description of problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45959

Version-Release number of selected component (if applicable):

httpd-2.2.3.82

How reproducible:


Steps to Reproduce:

1. Disallow Followsymlink at <Directory> directive. 
2. allow SymlinkIfOwnerMatch at .htaccess.
3. create symlink to other ownered file that not permitted to own.
4. use SSI include into html

Actual results:

I can see content of other ownered file.

Expected results:

I can not see content of file.

Additional info:

A patch for this vulnerability has already been provided.
Could you make the patch to httpd package for backport?
Comment 1 Joe Orton 2013-09-30 07:16:17 UTC 
Yukihiko-san,

Thank you for taking the time to enter a bug report with us. You mentioned the word "vulnerability", but as described in the documentation, "SymlinksIfOwnerMatch" is not a security feature.  There are no plans to address this in Red Hat Enterprise Linux 5.

http://httpd.apache.org/docs/2.2/mod/core.html#options

We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:

https://www.redhat.com/support/process/production/#howto