symlink "protection"

[Dean Gaudet <dg...@arctic.org>]

I'm not particularly enamoured of symlink protection because it's so hard
to do right... and it's not really something a program should have to do. 
But it just occured to me that for many folks it'd be sufficient to have
"device number" protection.  That is, you only allow content to be served
from a particular device on your system; and that device is definately not
the same as the / partition.

So a cute trick would be to have an allowable set of st_dev values from
the stat() call.  The following rules could be implemented:

- no device traversal

- traversal only to an allowable set

- no traversal, just check the final st_dev value and make sure it's in a
  particular set

The latter is nice and cheap, and can be done with a module in our current
API. 

Dean