Bug#45977: marked as done (FollowSymlinks lets users bypass <Directory> access controls)

To: Marco Rodrigues <gothicx@sapo.pt>
Subject: Bug#45977: marked as done (FollowSymlinks lets users bypass <Directory> access controls)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 16 Sep 2009 20:39:21 +0000
Message-id: <handler.45977.D45977.12531333805817.ackdone@bugs.debian.org>
References: <1253129646.700686.2711.nullmailer@kmos.homeip.net> <19990925115233.A3360@osiris.978.org>

Your message dated Wed, 16 Sep 2009 20:34:06 +0100
with message-id <1253129646.700686.2711.nullmailer@kmos.homeip.net>
and subject line Package apache has been removed from Debian
has caused the Debian Bug report #45977,
regarding FollowSymlinks lets users bypass <Directory> access controls
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
45977: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=45977
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: FollowSymlinks lets users bypass <Directory> access controls
From: Brian Ristuccia <brianr@osiris.978.org>
Date: Sat, 25 Sep 1999 11:52:33 -0400
Message-id: <19990925115233.A3360@osiris.978.org>

Package: apache
Version: 1.3.9-8

If a directory /foo/bar is protected by a <Directory> access control or a
.htaccess file in /foo, a user can make a symbolic link to this directory in
their public_html directory. When the resulting URL is visited, the contents
of /foo/bar are shown without any regard to the access controls.

At one point in the past, I think Apache behaved differently, changing its
internal pathname to the resolved symlink so it would match against
<Directory> access controls and also pick up .htaccess files in the parent
directory. Now, the documentation says "Note: even though the server follows
the symlink it does not change the pathname used to match against
<Directory> sections."

With the current state of affairs, any user can put the entire system on the
web by symlinking / into their public_html directory. The only other option
is SymLinksIfOwnerMatch, but then this prevents websites maintained by
multiple users from using symlinks. SymLinksIfOwnerMatch also prevents users
from symlinking directories explicitly permitted by a <Directory> access
control if they don't own it. 

-- 
Brian Ristuccia
brianr@osiris.978.org
bristucc@nortelnetworks.com
bristucc@cs.uml.edu

--- End Message ---

--- Begin Message ---

To: 45977-done@bugs.debian.org

Subject: Package apache has been removed from Debian

From: Marco Rodrigues <gothicx@sapo.pt>

Date: Wed, 16 Sep 2009 20:34:06 +0100

Message-id: <1253129646.700686.2711.nullmailer@kmos.homeip.net>
Version: 1.3.34-4.1+rm

You filled the bug http://bugs.debian.org/45977 in Debian BTS
against the package apache. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/418266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
--- End Message ---

Reply to:

Prev by Date: Bug#281387: marked as done (ucf: too many arguments)
Next by Date: Bug#269019: marked as done (Please package mod_bandwidth 2.0.5)
Previous by thread: Bug#281387: marked as done (ucf: too many arguments)
Next by thread: Bug#45977: marked as done (FollowSymlinks lets users bypass <Directory> access controls)
Index(es):
- Date
- Thread