httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45959] New: SSI include ignores SymlinkIfOwnerMatch directive
Date Tue, 07 Oct 2008 01:56:01 GMT

           Summary: SSI include ignores SymlinkIfOwnerMatch directive
           Product: Apache httpd-2
           Version: 2.2.8
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_include

I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
server-side includes enabled.

It looks like the server-side include "include" directive ignores the
setting of SymlinkIfOwnerMatch?

For example, let's say I have an htpasswd configuration file outside of
the document root:

-rw-r-----   1 root     webservd       7 Oct  3 14:00

If I then make a symbolic link to that from a user account:

lrwxrwxrwx   1 henson   csupomona      27 Oct  3 14:01
/user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd

Access is forbidden, with the following message in the log file:

[Fri Oct 03 14:01:51 2008] [error] [client] Symbolic link
allowed or link target not accessible: /export/user/henson/www/pass.html

However, if I create a server parsed HTML file in the same directory
containing the following:

        <!--#include file="pass.html" -->

When I request the .shtml file, the contents of the file pointed to by
symbolic link are included.

I had thought that configuring server side includes with IncludesNoExec
was reasonably safe, but it would appear that such a configuration allows
any file readable by the web server itself to be served?

I took a look at mod_include.c, the include directive appears to be handled
by the handle_include function which calls either ap_sub_req_lookup_file or
ap_sub_req_lookup_uri depending on whether the include is file or
virtual, and then calls ap_run_sub_req to presumably handle dumping out the
content of the include.

As a sub request, I would have intuitively thought it would honor the
configuration setting regarding symbolic links?

Am I confused? Is there something wrong with my configuration? Is this an
expected behavior (I searched quite a bit and didn't find anything
relevant)? I also posted to the mailing list last week:

And didn't receive any responses that really answered my questions.

Thanks much for any help...

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message