www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: mod_access/3480: <Directory> directive acting strange (fwd)
Date Fri, 04 Dec 1998 06:30:01 GMT
The following reply was made to PR mod_access/3480; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: Apache bugs database <apbugs@apache.org>
Cc:  Subject: Re: mod_access/3480: <Directory> directive acting strange (fwd)
Date: Thu, 3 Dec 1998 22:19:10 -0800 (PST)

 ---------- Forwarded message ----------
 Date: Thu, 03 Dec 1998 00:01:28 +0100
 From: Jean-Marie de Boer <sentient@pulse.nl>
 To: marc@apache.org
 Subject: Re: mod_access/3480: <Directory> directive acting strange
 
 > As the docs say, if you enable the following of sym links
 > (see the Options directive) then symbolic links will be
 > followed.  They are NOT treated as the "real" path, but
 > as the "virtual" path.  ie. a link from /foo/bar/whee
 > to /whee will be treated as being /foo/bar/whee and
 > not /whee.
 
 Hello Marc,
 
 thanks for the reply. All of you make a great product.
 Still, I am wondering about this section on security, taken from
 http://www.apache.org/docs/misc/security_tips.html:
 
 For instance, consider the following example: 
 
    1.# cd /; ln -s / public_html 
    2.Accessing http://localhost/~root/ 
 
 This would allow clients to walk through the entire filesystem. To work
 around this, add the following block to your server's configuration: 
 
 <Directory />
      Order deny,allow
  etc.
 
 I am confused. In this example, public_html is a symlink, right? I can
 see that the example would close off /public_html and therefore / but it
 is not clear. A symlink has to be made to create this dangerous
 situation, and the solution does not prevent danger from symlinks.
 
 I do have another question on the same subject, if that's okay.
 I created a perl script which outputs a file from my /etc directory.
 (It's just a test you understand)
 This file resides in the scriptaliased cgi-bin of the (named) virtual
 host using these directives, and is being called via the webserver.
 The file from /etc is displayed.
 
 Am I correct in assuming that this is because the output is generated by
 the perl interpreter, and apache sees it as coming from the allowed
 space? Would mod_perl have the same behaviour?
 
 Thanks for yor time.
 
 Best regards,
 Jean-Marie de Boer
 Pulse.interactive
 -- 
 If you think you have everything under control, you're not driving fast
 enough - Alain Prost
 
 ***********************************************
 Get my public pgp key from:
 http://sentient.pulse.nl/sentient_pgp_key.asc
 ***********************************************
 

Mime
View raw message