httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: arctic.patch
Date Fri, 27 Mar 1998 08:53:38 GMT


On Thu, 26 Mar 1998, Brian Behlendorf wrote:

> I've never understood the "security" of SymLinksIfOwnerMatch.  If the
> target of a symlink was viewable by the web server, it's probably also
> viewable by Joe Malicious User, who could just copy the file into their own
> tree.  

Oh and another case to consider is when your web server is a machine that
your users can't log into.  They can only affect it via NFS... in that
case symlinks and such would give them access to stuff they don't
otherwise have access to. 

But even still, I'm a lot happier with mod_allowdev as a solution to this. 

Dean


Mime
View raw message