httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nilesh Govindrajan" <li...@itech7.com>
Subject Re: [users@httpd] SSI/server-side includes and symbolic links/SymlinkIfOwnerMatch
Date Sat, 04 Oct 2008 05:13:22 GMT
If you are not using RewriteRules then in .htaccess write

Options -FollowSymLinks

This will disable the working of RewriteRules also!

If you are using RewriteRules, create a symlink and using FilesMatch specify
the above option for the symlink name.

On Sat, Oct 4, 2008 at 8:10 AM, Paul B. Henson <henson@acm.org> wrote:

> On Fri, 3 Oct 2008, Nilesh Govindrajan wrote:
>
> > /usr/pkg/etc/httpd/htpasswd owner is root and Apache runs as daemon /
> > whatever you set in User directive. So its obviously not going to work
> > with SymlinkIfOwnerMatch. You need FollowSymLinks in Options.
>
> I don't think you understand my problem/question.
>
> I don't want the symlink followed.
>
> The problem is that SSI successfully follows the symlink when I think it
> shouldn't.
>
>
> > On Sat, Oct 4, 2008 at 2:52 AM, Paul B. Henson <henson@acm.org> wrote:
> >
> >
> >
> >       I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
> >       server-side includes enabled.
> >
> >       It looks like the server-side include "include" directive ignores
> the
> >       setting of SymlinkIfOwnerMatch?
> >
> >       For example, let's say I have an htpasswd configuration file
> outside of the
> >       document root:
> >
> >       -rw-r-----   1 root     webservd       7 Oct  3 14:00
> /usr/pkg/etc/httpd/htpasswd
> >
> >       If I then make a symbolic link to that from a user account:
> >
> >       lrwxrwxrwx   1 henson   csupomona      27 Oct  3 14:01
> /user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd
> >
> >
> >       Access is forbidden, with the following message in the log file:
> >
> >       [Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic
> link not
> >       allowed or link target not accessible:
> /export/user/henson/www/pass.html
> >
> >
> >       However, if I create a server parsed HTML file in the same
> directory
> >       containing the following:
> >
> >              <!--#include file="pass.html" -->
> >
> >       When I request the .shtml file, the contents of the file pointed to
> by the
> >       symbolic link are included.
> >
> >       I had thought that configuring server side includes with
> IncludesNoExec
> >       was reasonably safe, but it would appear that such a configuration
> allows
> >       any file readable by the web server itself to be served?
> >
> >       I took a look at mod_include.c, the include directive appears to be
> handled
> >       by the handle_include function which calls either
> ap_sub_req_lookup_file or
> >       ap_sub_req_lookup_uri depending on whether the include is file or
> virtual,
> >       and then calls ap_run_sub_req to presumably handle dumping out the
> content
> >       of the include.
> >
> >       As a sub request, I would have intuitively thought it would honor
> the
> >       configuration setting regarding symbolic links?
> >
> >       Am I confused? Is there something wrong with my configuration? Is
> this an
> >       expected behavior (I searched quite a bit and didn't find anything
> >       relevant)?
> >
> >       Thanks much for any help...
> >
> >
> >       --
> >       Paul B. Henson  |  (909) 979-6361  |
> http://www.csupomona.edu/~henson/ <http://www.csupomona.edu/%7Ehenson/> <
> http://www.csupomona.edu/%7Ehenson/>
> >       Operating Systems and Network Analyst  |  henson@csupomona.edu
> >       California State Polytechnic University  |  Pomona CA 91768
> >
> >
> ---------------------------------------------------------------------
> >       The official User-To-User support forum of the Apache HTTP Server
> Project.
> >       See <URL:http://httpd.apache.org/userslist.html> for more info.
> >       To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >         "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >       For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> >
> >
> >
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/<http://www.csupomona.edu/%7Ehenson/>
> Operating Systems and Network Analyst  |  henson@csupomona.edu
> California State Polytechnic University  |  Pomona CA 91768
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Nilesh Govindrajan (nilesh@itech7.com)

iTech7 Site and Server Administrator

www.itech7.com

Mime
View raw message