www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgaudet-list-apache-mirr...@arctic.org>
Subject Re: Mirroring apache using rsync
Date Sun, 12 Jul 1998 19:09:47 GMT

On Sat, 11 Jul 1998, Wojtek Sylwestrzak wrote:

> we are running hundreds of mirrors, and most of them use symlinks internally,
> so we cannot ignore this. On the other hand, we make them all accessible
> with httpd that follows symlinks. We are being quite naive here :-(

Incidentally, if you don't enable "Options FollowSymLinks" then that'll
give you some amount of protection, but at the expense of cpu/system time. 
Your mirrors probably all live on dedicated partitions -- or on non-root
partitions.  So you could take a look at mod_allowdev
<http://www.arctic.org/~dgaudet/apache/1.3/mod_allowdev.c>.  I'll include
the comments from the code below. 



Why do you want this?  Let me put it this way:  the symlink protection
options (FollowSymLinks and SymLinksIfOwnerMatch) are lame in many

- They're slow, they require a component by component stat()
    and/or lstat().

- They're hard to get correct because apache won't readlink() so it
    doesn't rewrite the destination.  This can lead to situations
    where you thought you had protected a filesystem, but you
    really hadn't because a symlink may let the user into it.

- They're overkill.  Frequently all you're trying to do is to protect
    /etc from being served, and frequently /etc is on a partition that
    users' files are not on (if not you've got other problems, see
    a book on unix security).

There's an easier way to do this.  We just tell Apache what *devices*
we are willing to serve files from.  That's what this module does.



Usage: Stick an appropriate "AddModule modules/extra/mod_allowdev.o"
directive at the very bottom of your src/Configuration file, rebuild.

Static mount points:  This probably covers most internet servers.
You list all the mount points that have content you wish to serve
on the net like this:

    AllowDev /mount-point1 /mount-point2 ...

For example, "AllowDev /var" would allow any file on the /var device
to be served.  Note that, for example, "AllowDev /var/foo" where foo
is not a mount point, probably doesn't do what you expect.  This case
too would allow all files on /var to be served.

Dynamic mount points:  This probably covers most intranet servers.

    AllowDevDynamic regex subst

If the file to be served matches regex, then perform subst.  The
resulting path must be on the same device as the file served.  For

    AllowDevDynamic /home/([^/]*)/public_html /home/$1

Says that if a file /home/userid/public_html/foobar is to be served, then
its device must match /home/userid.


View raw message