You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Roy Fielding <fi...@beach.w3.org> on 1995/08/17 20:17:51 UTC

If owner=root, should Apache follow symlinks?

I know we discussed this a while back, but I was looking at the
code last night and it looks like Apache will not allow root-owned
links to bypass the OPT_SYM_OWNER check.

The change in http_request.c to do this is trivial (I think):

    if (stat (d, &fi) < 0) return FORBIDDEN;

+   if (lfi.st_uid == (uid_t)0) return (OK);   /* root-owned links are OK */
+
    return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN;


[note: I placed it after the stat because I think it should still
       be checking that the destination of the link is stat-able]

However, given that the change is easy, have I missed something else?
Is there a reason I shouldn't do this in the first place?

.....Roy