Re[2]: apache FollowSymLinks and SymLinksIfOwnerMatch question

To: "nate" <debian-user@aphroland.org>
Cc: <debian-user@lists.debian.org>
Subject: Re[2]: apache FollowSymLinks and SymLinksIfOwnerMatch question
From: Patrick Hsieh <pahud@ezplay.tv>
Date: Thu, 26 Sep 2002 14:26:46 +0800
Message-id: <[🔎] 20020926141326.9E0A.PAHUD@ezplay.tv>
In-reply-to: <[🔎] 18136.216.39.174.24.1033019078.squirrel@webmail.linuxpowered.net>
References: <[🔎] 20020926132536.9DF2.PAHUD@ezplay.tv> <[🔎] 18136.216.39.174.24.1033019078.squirrel@webmail.linuxpowered.net>

Hello "nate" <debian-user@aphroland.org>,

OK. This is my situation. I am running mutiple apache server which all
mount nfsserver:/var/www/ as their local /var/www and share the same
storage via nfs.

Is apache any configuration to avoid symbolic link across documentroot?
I hope to keep the consistency of the content of DocumentRoot because of
NFS. Symbolic link outside the document could possibly lead to
inconsistency.



On Wed, 25 Sep 2002 22:44:38 -0700 (PDT)
"nate" <debian-user@aphroland.org> wrote:

> Patrick Hsieh said:
> > Hello list,
> >
> > Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options,
> > there's still some security issue. For example, someone cp /etc/passwd to
> > his home directory(/home/foo/passwd), create a symbolic link from
> > /home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches,
> > it will still lead to exposure of passwd file. Is there any way to avoid
> > this? I'd like to restrict the symbolic link from linking across the
> > DocumentRoot, idea?
> 
> if  your trying to protect the passwd file, good luck! Someone
> could just as easily cat the file into another html file, or copy and
> rename it in their public_html directory.
> 
> If you want to "obscure" your user accounts I reccomend using a
> distributed login system such as LDAP, NIS, NIS+ and put all
> non-system accounts in the database(theres no harm in a remote
> user seeing what system accounts you have I think since they
> are default to the system, they could install a copy of debian
> and see what the accounts were if they wanted). That way
> /etc/passwd has no real useful information.
> 
> I do this with LDAP, it works well, I wroteup a large "HOWTO"
> on the subject:
> 
> http://howto.linuxpowered.net/ldap/ldap.html
> 
> IMO ldap is more secure then NIS/NIS+ because it does not depend
> upon RPC services(which historically have many security problems).
> 
> nate
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Re[2]: apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: "nate" <debian-user@aphroland.org>

References:
- apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: Patrick Hsieh <pahud@ezplay.tv>
- Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
  - From: "nate" <debian-user@aphroland.org>

Prev by Date: Re: CUPS configuration
Next by Date: Re: Re[2]: apache FollowSymLinks and SymLinksIfOwnerMatch question
Previous by thread: Re: apache FollowSymLinks and SymLinksIfOwnerMatch question
Next by thread: Re: Re[2]: apache FollowSymLinks and SymLinksIfOwnerMatch question
Index(es):
- Date
- Thread