httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: FollowSymLinks and Security with default config?
Date Mon, 06 Jul 1998 17:10:52 GMT


On Mon, 6 Jul 1998, Ralf S. Engelschall wrote:

> A friend of me yesterday stumbled over the 1.3.0-problem where FollowSymLinks
> was not enabled for / and thus a symlink between / and his DocRoot caused
> problems for him.  I said to him, we already fixed this for 1.3.1 by now
> having "Options Indexes FollowSymLinks" in <Directory />.  He answered: "And a
> -FollowSymLinks in <Directory DocRoot>, of course. Yes?". And then I'd to
> answer "Aehhhh....hmmmmm".

The change makes the 1.3.1 config compatible with the pre-1.3.0 configs. 
Without "FollowSymLinks" apache runs way slow.

symlink "protection" is just plain broken and problematic.  It's way
confusing to have apache not rewrite the path when it follows a link...
and it's a performance pain to be stat()ing every single path component.

mod_allowdev is far safer and easier to use in my opinion. 

Dean


Mime
View raw message