Server templates not propperly applied

[PitWenkin]

I have the following in my Server template - Website for domain

ServerName ${DOM}
ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/public_html/cgi-bin/
DirectoryIndex index.html index.shtml index.htm index.php index.php4 index.php5
<Directory ${HOME}/public_html>
Options -Indexes +Includes +FollowSymLinks
allow from all
AllowOverride All Options=ExecCGI,Includes,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory ${HOME}/public_html/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
…

After creation of a new virtual server everything is propperly replaced with domain and/or home variabels, except:

• The 9th line is changed to Options -Indexes +Includes +SymLinksIfOwnerMatch +ExecCGI
• Both lines 11 and 15 get an additonal IncludesNOEXEC,

The change from +FollowSymLinks to +SymLinksIfOwnerMatch however breaks my setup and I have to manually change it.
(I have not yet fund a problem with the additonal +ExecCG and IncludesNOEXEC …)

The same changes happens when restoring a virtual server from backup. Both the original directives as well as those in the server template had/have +FollowSymLinks but will be replaced with +SymLinksIfOwnerMatch

(This is not a new problem)

[jcameron]

So the change from FollowSymLinks to SymLinksIfOwnerMatch is intentional as a security measure - otherwise, the owner of one domain could create a symlink to files in another domain's directory that are not normally accessible via the web, and make them accessible. The owners check prevents this..

Is there a reason why you want to use FollowSymLinks specifically?

[PitWenkin]

So the change from FollowSymLinks to SymLinksIfOwnerMatch is intentional as a security measure - otherwise, the owner of one domain could create a symlink to files in another domain's directory that are not normally accessible via the web, and make them accessible. The owners check prevents this..

There are no reseller accounts, and website owners never get access to "their" virtualmin account or ssh or such.

Is there a reason why you want to use FollowSymLinks specifically?

Same CMS on all virtual servers, shared system resources (stylesheets and such) outside of home folders, to prevent having to copy them to each home folder, reducing disc- as well as backupspace.
Those resources are softlinked into each home folder.

[iliajie]

Well, if there is only one person managing all those virtual servers or a group of trusted people, then it's okay to use FollowSymLinks. Otherwise, exploring different options for directory sharing or the possibility of converting those to sub-servers under one main virtual server could be worth considering.

[jcameron]

You can prevent Virtualmin from fixing FollowSymLinks in the templates by editing /etc/webmin/virtual-server/config and adding the line allow_symlinks=1

[PitWenkin]

I understand why it is replaced by default, as it makes sense in most cases

You can prevent Virtualmin from fixing FollowSymLinks in the templates by editing /etc/webmin/virtual-server/config and adding the line allow_symlinks=1

I will try that, thanks