httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Drost" <chris.dros...@gmail.com>
Subject Re: v. 2.2 Documentation errors? (in mod/core.html#options and misc/security_tips.html#protectserverfiles)
Date Sat, 13 Dec 2008 17:54:12 GMT
>
> I wrote the note about FollowSymLinks not being a security restriction
> based on some bug reports and a response (by Roy, if I remember
> correctly) stating that nobody should expect FollowSymLinks to be
> secure in the first place. Since the docs implied otherwise, I changed
> the docs.
>
> You are most likely correct that the race conditions are "relatively"
> hard to exploit. But the "relatively" is very difficult to quantify.
> So if you don't really know what you are doing, you shouldn't expect
> to be protected by turning off symlinks. If you know what you are
> doing, then you should understand the limits implied by the statement
> in the docs without further explanation. We aren't going to include a
> treatise on symlink race conditions in the Options docs.
>
> Yes, omitting FollowSymLinks is a perfectly valid way of preventing
> you from accidentally shooting yourself in the foot. But I don't
> consider that to be a security restriction.
>
> Joshua.

Fair enough; we differ on what we consider a "security restriction,"
and that's fine by me. But if you remember where you found them, might
we at least link to the bug reports?

--Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message