apache FollowSymLinks and SymLinksIfOwnerMatch question

To: debian-user@lists.debian.org
Subject: apache FollowSymLinks and SymLinksIfOwnerMatch question
From: Patrick Hsieh <pahud@ezplay.tv>
Date: Thu, 26 Sep 2002 13:30:23 +0800
Message-id: <[🔎] 20020926132536.9DF2.PAHUD@ezplay.tv>

Hello list,

Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options,
there's still some security issue. For example, someone cp /etc/passwd
to his home directory(/home/foo/passwd), create a symbolic link from
/home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches,
it will still lead to exposure of passwd file. Is there any way to avoid
this? I'd like to restrict the symbolic link from linking across the
DocumentRoot, idea?


-- 
Patrick Hsieh <pahud@ezplay.tv>

GPG public key http://pahud.net/pubkeys/pahudatezplay.gpg

Reply to:

Follow-Ups:
- Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: "nate" <debian-user@aphroland.org>
- Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: Paul Johnson <baloo@ursine.dyndns.org>

Prev by Date: Re: workstations syslogging to server
Next by Date: compiling & Installing different versions of kernel
Previous by thread: Re: workstations syslogging to server (solved)
Next by thread: Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
Index(es):
- Date
- Thread