httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roy Fielding <>
Subject If owner=root, should Apache follow symlinks?
Date Thu, 17 Aug 1995 18:17:51 GMT

I know we discussed this a while back, but I was looking at the
code last night and it looks like Apache will not allow root-owned
links to bypass the OPT_SYM_OWNER check.

The change in http_request.c to do this is trivial (I think):

    if (stat (d, &fi) < 0) return FORBIDDEN;

+   if (lfi.st_uid == (uid_t)0) return (OK);   /* root-owned links are OK */
    return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN;

[note: I placed it after the stat because I think it should still
       be checking that the destination of the link is stat-able]

However, given that the change is easy, have I missed something else?
Is there a reason I shouldn't do this in the first place?


View raw message