httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52683] New: add a symlink option that rechecks the access permission with the resolved symlink
Date Thu, 16 Feb 2012 15:50:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52683

             Bug #: 52683
           Summary: add a symlink option that rechecks the access
                    permission with the resolved symlink
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: calestyo@scientia.net
    Classification: Unclassified


Hi.

The Options directive provides currently two parameters to allow following
symbolic links.
Both are rather dangerous in that the (more or less) just allow the access,
without checking any <Directory>/<File> (+ their regexp variants) blocks again.

So even if I have
<Diretory />
  Order allow, deny
  Deny from all
</Directory>

Access to e.g. /etc/shadow is granted if there's a directory the contains a
symlink to this and hast symlinks allowed.


Now one can always argue, that it's the users fault if such things happens, but
even the sysadmin can accidentally create symlinks that endanger somehow
security and he doesn't notice this immediately.

As this is a long years deficiency of Apache I suggest adding a third symlink
argument to the Options directive, which enables followin symlinks, but first
resolves them (i.e. what readlink -f does) and checks the resulting file
against all access directives.

As this is probably slower, that other two options deserve to stay in place,
for those who are happy enough with them.

Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message