I know this is a very frequently asked question but after spending many hours searching for an answer I decided to open a new thread.
Drupal Security Announcement 2006-006 was concerned about a highly critical vulnerability of remote arbiraty code execution in some (very common) Apache configurations. If I'm not mistaken the scenario was that users with permission to upload files to the Drupal site were able to somehow upload an evil PHP script to the upload folder in some Apache configurations, then run them from the files directory and ka-boom, the site is compromised.
For this reason, Drupal SA 2006-006 introduced a .htaccess file in the files directory with the following content:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 Options None Options +FollowSymLinks
Description of the problem
The hosting provider of my current project has Apache configured so that these lines cause problems.
I'm able to upload content to the files directory with no problems: if I upload files they end up in the files directory as expected. If I change the color of my Garland theme the color module is able to create a subdirectory in the files directory and save the new CSS-files etc. in this directory. The file permissions of the uploaded files are OK (-rw-rw-r--). So far so good.
The problems, however, start when the browser is trying to access these files.
Problem #1. The FollowSymLinks option causes me an Internal Server Error because my hosting provider has disabled use of this directive. In my environment I know I can safely comment this line out just like I did in the main .htaccess file in the Drupal installation directory. This is because the FollowSymLinksIfOwnerMatch is enabled instead. One down, one to go.
Problem #2. The content of the .htaccess file is now effectively as follows:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 Options None
With this configuration I get rid of the Internal Server error. But instead, I now get a HTTP 403 forbidden error when the browser is requesting files that are in the files directory.
If I comment out Options None, I can access the files as intended. This configuration change is, however, something that I am not going to do unless I know for sure that Apache is configured safely - I don't want to open my site for remote arbitrary code execution.
My request for support
Could someone please point me to a piece of documentation where I could read how to make sure that the Apache environment is configured safely so that the Options None could be safely removed.