I don’t know how serious this is but when a website is created a symlink to the “icon” directory for fancy indexing is made with permissions 777 and owned by user root group root.
When logged to the file manager (as an virtual server adminstrator) I was able to make a copy - this copy was made with the logged user instead of root. (this could be used after the original file was rename to something else).
The issue is that because of the 777 permissions of the symlink I was then able to rename the root owned symlink to something like httpd.conf and change the symlink pointer values to the assumed destination of the new filename value for the symlink.
The symlink always stays to the owner root unless the user decides to change it.
I didn’t want to change it to the passwd file in the etc folder because I didn’t want to spend hours correcting my system if I messed up something.
I did browse to the etc folder while under root login and made copies of a couple of different conf files and then pointed the link to them. When you bring up the link in a browser window the file is displayed. It will even display whole directories by changing it to point to simply "/var" or "/etc"
If I change the owner of the symlink file from root, then I am quite sure apache will not let me view the destination of the symlink file if it points to a root file with proper permissions.
The followsymlinks directive has something to do with this and I think it is used for the suexec. This "icon" symlink is in the public_html directory so is the follow symlinks directory only placed in per directory option section due to fancy indexes?
Still, I sure don’t know what to think about having someone be able to just peruse the file system in this manner and look at config files, etc.
Plus… what about ssl logins via scp? The user is not jailed. They can look around the system. They can’t change files unless they happen to have the wrong permissions but many files need to have read access for scripts and other programs.
You see… if someone logs in under scp and can change any symlink under root in directories that can be accessable to the internet it could cause problems because they can read/look at many files on the system under scp. Then decide “hey, I’ll just change it to this one”. Then call it in their browser.
Can I change the owner of this "icon" symlink? Is this really not an issue?
These two issues are bugging me and would like some feedback. Thanks.