You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Emmanuel E <em...@gmx.net> on 2008/04/19 19:50:46 UTC
[users@httpd] Anyone have a clue as to what these race conditions and circumventing
are on FollowSymLinks ?
From the manual
http://httpd.apache.org/docs/2.2/mod/core.html#options
> Omitting this option should not be considered a security restriction,
> since symlink testing is subject to race conditions that make it
> circumventable.
Thanks,
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Anyone have a clue as to what these race conditions and circumventing are on FollowSymLinks ?
Posted by Joshua Slive <jo...@slive.ca>.
On Sat, Apr 19, 2008 at 1:50 PM, Emmanuel E <em...@gmx.net> wrote:
> From the manual
>
> http://httpd.apache.org/docs/2.2/mod/core.html#options
>
>
> > Omitting this option should not be considered a security restriction,
> since symlink testing is subject to race conditions that make it
> circumventable.
> >
A symlink can be added/removed/changed between the time that apache
tests for it and the time when apache retrieves the target file. This
means a determined person with local shell access (and some
programming skills) can symlink content into the webspace even if
symlinks are not allowed by the Options directive.
In the end, this is not a serious issue since someone with local shell
access could also simply copy any file they want into the webspace.
But it is important to be aware that symlink restrictions are not
absolute.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org