Bug 1006640 - [ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
[ASF Bugzilla – Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Web Stack Team
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-09-10 21:44 EDT by Yukihiko Sawanobori
Modified: 2013-09-30 03:16 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-30 03:16:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yukihiko Sawanobori 2013-09-10 21:44:01 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1. Disallow Followsymlink at <Directory> directive. 
2. allow SymlinkIfOwnerMatch at .htaccess.
3. create symlink to other ownered file that not permitted to own.
4. use SSI include into html

Actual results:

I can see content of other ownered file.

Expected results:

I can not see content of file.

Additional info:

A patch for this vulnerability has already been provided.
Could you make the patch to httpd package for backport?
Comment 1 Joe Orton 2013-09-30 03:16:17 EDT

Thank you for taking the time to enter a bug report with us. You mentioned the word "vulnerability", but as described in the documentation, "SymlinksIfOwnerMatch" is not a security feature.  There are no plans to address this in Red Hat Enterprise Linux 5.


We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:


Note You need to log in before you can comment on or make changes to this bug.