httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <...@engelschall.com>
Subject FollowSymLinks and Security with default config?
Date Mon, 06 Jul 1998 11:10:14 GMT

A friend of me yesterday stumbled over the 1.3.0-problem where FollowSymLinks
was not enabled for / and thus a symlink between / and his DocRoot caused
problems for him.  I said to him, we already fixed this for 1.3.1 by now
having "Options Indexes FollowSymLinks" in <Directory />.  He answered: "And a
-FollowSymLinks in <Directory DocRoot>, of course. Yes?". And then I'd to
answer "Aehhhh....hmmmmm".

The point he wanted to address was that we also have "Options Indexes
FollowSymLinks" in the <Directory DocRoot> section and this means that one can
place symlinks there to access secure resources. Correct? Ok, usually because
of Unix filesystem permissions only the webmaster accesses and can/should
access the DocRoot hierarchy. But our current setup also allows now symlinks
per default in the User homedir hierarchies. And this is usually not what is
considered secure per default, isn't it?

Either I'm confused by the whole FollowSymLink stuff and/or I miss something?

If I'm not confused I think we should add perhaps a <LocationMatch "^/~.+">
section which removes the FollowSymLink option for user dirs per default.
Because I've currently tried Apache 1.3.1-dev with our default config and I
just had to create a symlink ~rse/public_html/passwd -> /etc/passwd and I was
able to fetch /etc/passwd via URL /~rse/passwd. IMHO I think this way the
default config is not what others consider secure...

Opinions?
                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Mime
View raw message