You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Jason Riedy <ej...@cise.ufl.edu> on 1997/07/26 02:00:03 UTC
documentation/920: Advise an htaccess file in /...
>Number: 920
>Category: documentation
>Synopsis: Advise an htaccess file in /...
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: doc-bug
>Submitter-Id: apache
>Arrival-Date: Fri Jul 25 17:00:02 1997
>Originator: ejr@cise.ufl.edu
>Organization:
apache
>Release: 25 July, 1996
>Environment:
Doesn't matter, but Solaris 2.5...
>Description:
As http://www.apache.org/docs/mod/core.html#options states that with
FollowSymLinks, the directory isn't re-written and compared. Thus,
if a user does something like `ln -s / root' in the right place,
folks can walk the directory tree.
This isn't a big deal for places (like us) which give CGI access, but
your docs advise a <directory /> deny... </directory> clause already.
The User* bit in 1.3 is a nice idea, but a single-line htaccess (deny
from all) is simpler. And some folks here already cross-link in the
file system, so I can't use SymLinksIfOwnerMatch.
Of course, this assumes you allow htaccess files under user directories.
>How-To-Repeat:
>Fix:
Eh, it's not a huge deal. No response necessary, either
>Audit-Trail:
>Unformatted:
Re: documentation/920: Advise an htaccess file in /...
Posted by Dean Gaudet <dg...@arctic.org>.
On Fri, 25 Jul 1997, Jason Riedy wrote:
> As http://www.apache.org/docs/mod/core.html#options states that with
> FollowSymLinks, the directory isn't re-written and compared. Thus,
> if a user does something like `ln -s / root' in the right place,
> folks can walk the directory tree.
That's what SymLinksIfOwnerMatch is intended to deal with.
> And some folks here already cross-link in the
> file system, so I can't use SymLinksIfOwnerMatch.
Why can't the symlink just be changed to be the same uid as the destination
of the link? I use this all the time in my test setups.
Dean