httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] Re: Apache Security Problem
Date Thu, 15 May 2008 13:51:54 GMT
On Thu, May 15, 2008 at 3:36 AM, Andre Hübner <> wrote:

> sorry, I think i verbalized not clear enough.  ;)
> essence is following:  The way of creating a symlink is irrelavant. In Most
> cases this is a script, but symlink is also creatable by just unpacking a
> archive with symlinks that points to other users files.
> Symlinks are very flexible and can even point to itself. A symbolic Link in
> Filesystem is always created even if target has to less permissions or is
> not existent. In this cases the link is just dead for the cgi-user that
> created it. But Link is not dead for apache user. If we think that other
> file is readable for apache cause is part of website than apache serves
> content of other users file. Apache seems in this case just to check if
> source and target of symlink is readable for apacheuser and serves file if
> is so. I can decrease chmod of targetfile but if it also should be servered
> by apache the group of the file have to be apchegroup and we have the case
> that ist still readable.
> I cannot stop creating symlinks by script or other ways. I could activate
> SymLinksIfOwnerMatch but user could change this with own .htaccess cause i
> grant AllowOverride All in httpd.conf
> Decreasing of AllowOverride Level to remove Options-Group is realy big step
> cause it would remove also further helpful things
> Hmm, best way would be to activate SymLinksIfOwnerMatch  without removing
> whole Options Directive.
> Now i have:
> <Directory "/my/path">
> AllowOverride FileInfo AuthConfig Limit Indexes
> Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
> </Directory>
> and symlinks to other users files are not permitted. But on the other hand
> every .htaccess which uses Options, php_flag, php_value directive (may be
> more) runs into 500 Error :(

You can do restrictions of particular options using the technique shown here:

But I have a feeling that there are other ways around your separation.
It depends on exactly the details of how you are running your scripts.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message