Re: apache FollowSymLinks and SymLinksIfOwnerMatch question

To: debian-user@lists.debian.org
Subject: Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
From: Paul Johnson <baloo@ursine.dyndns.org>
Date: Thu, 26 Sep 2002 02:30:43 -0700
Message-id: <[🔎] 20020926093043.GC6946@ursine.dyndns.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20020926132536.9DF2.PAHUD@ezplay.tv>
References: <[🔎] 20020926132536.9DF2.PAHUD@ezplay.tv>

On Thu, Sep 26, 2002 at 01:30:23PM +0800, Patrick Hsieh wrote:
> Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options,
> there's still some security issue. For example, someone cp /etc/passwd
> to his home directory(/home/foo/passwd), create a symbolic link from
> /home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches,
> it will still lead to exposure of passwd file. Is there any way to avoid
> this? I'd like to restrict the symbolic link from linking across the
> DocumentRoot, idea?

Easiest way to avoid it being a problem is to use shadow passwords...

-- 
Baloo

Attachment: pgppmmolG_Frw.pgp
Description: PGP signature

Reply to:

References:
- apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: Patrick Hsieh <pahud@ezplay.tv>

Prev by Date: Re: hyperterminal
Next by Date: Re: OT: how to make kmail open links in mozilla
Previous by thread: Re: Re[4]: apache FollowSymLinks and SymLinksIfOwnerMatch question
Next by thread: compiling & Installing different versions of kernel
Index(es):
- Date
- Thread