httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <Lars.Eilebre...@unix-ag.org>
Subject RE: FollowSymLinks and Security with default config?
Date Mon, 06 Jul 1998 16:38:16 GMT
According to Ralf S. Engelschall:
  
>  The point he wanted to address was that we also have "Options Indexes
>  FollowSymLinks" in the <Directory DocRoot> section and this means that one
>  can place symlinks there to access secure resources. Correct? Ok, usually
>  because of Unix filesystem permissions only the webmaster accesses and
>  can/should access the DocRoot hierarchy. But our current setup also allows
>  now symlinks per default in the User homedir hierarchies. And this is
>  usually not what is considered secure per default, isn't it?

The question is: Should it be secure by default?
If yes (and we remove FollowSymLinks from the <Directory /> section)
we will see more and more of those 'symlink problem' posts on
Usenet and in our bug database.
If we ship 1.3.1 with FollowSymLinks enabled people won't have
any trouble, but a lot may not notice that FollowSymLinks is in some
situations a bad idea rsp. a security problem.

I would prefer it to ship 1.3.1 with "Options None" in the <Directory />
section and let the admin learn the FollowSymLinks option the hard way.
Of course then we should add a big note to access.conf.

[...]
>  If I'm not confused I think we should add perhaps a <LocationMatch "^/~.+">
>  section which removes the FollowSymLink option for user dirs per default.

Uhm, you cannot use "Options FollowSymLinks" inside a <Location(Match)>
directive.

>  Because I've currently tried Apache 1.3.1-dev with our default config and I
>  just had to create a symlink ~rse/public_html/passwd -> /etc/passwd and I
>  was  able to fetch /etc/passwd via URL /~rse/passwd. IMHO I think this way
>  the default config is not what others consider secure...

So what? This was possible with all old default configs (prior to 1.3.0).
Correct me if I'm wrong, but if you remove the entire <Directory /> section
Apache will happily follow symlinks if they are enabled in the source
directory (DocumentRoot).


P.S.: Use shadow passwords ;-)

ciao...
-- 
Lars Eilebrecht                        - Do not drink coffee in early A.M.
sfx@unix-ag.org                       - It will keep you awake until noon.
http://www.home.unix-ag.org/sfx/


Mime
View raw message