You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Alan Petersen <al...@finchcomputer.com> on 1998/07/06 21:03:14 UTC

general/2557: apache will not follow symbolic links

>Number:         2557
>Category:       general
>Synopsis:       apache will not follow symbolic links
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul  6 12:10:01 PDT 1998
>Last-Modified:
>Originator:     alan@finchcomputer.com
>Organization:
apache
>Release:        1.3.0
>Environment:
SunOS 5.5 Generic sun4m sparc SUNW,SPARCstation-20
compiled with gcc version 2.7.2.2
>Description:
Not sure if this is a security feature or a bug, but when a symbolic
link exists in the document root, Apache will not deliver the file 
requested. In my specific installation, I have the symbolic link
/usr/local/apache/1.3.0/share -> /opt2/www/data
and the DocumentRoot is set to /usr/local/apache/1.3.0/share/htdocs. 
The followin appears in the error_log file when one tries to access
any document on the site:

   Symbolic link not allowed: /usr/local/apache/1.3.0/share/htdocs

If a simple change is made such that DocumentRoot is set to
/opt2/www/data/htdocs instead, the pages are delivered as requested and
no errors are generated. This happens whether the FollowSymLinks option is
on or not (for security reasons it is better to have it off).
In any case, it would be nice to be able to change the physical path of the
data (especially when rdisting to several servers) while keeping the logical
path constant (for ease of maintenance). Earlier versions of Apache did not
mind symbolic links in the root parts of the directories.
>How-To-Repeat:

>Fix:
Perhaps the directory_walk routine in http_request.c could 
ignore the server-root part of the directory structure.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]