Bugtraq mailing list archives
httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
From: martinh () paston co uk (Martin Hargreaves)
Date: Sat, 2 Sep 1995 14:37:17 +0100
Panzer (panzer () dhp com) wrote:
OB BugTraq, does a user making a "~/public_html/root_dir -> /" link do what you think it does on your web server? Maybe this isn't a hot idea... Even worse if you nfs mount users pages via a web server that does other tasks also...
I think this list went through over this problem a few months ago, the consensus being that if you don't trust your users then this is one of many ways that they can compromise your system. I believe that with NCSA httpd (at least on 1.3) that you need <Directory /*/public_html*> AllowOverride None Options Indexes FollowSymLinks </Directory> For the problem to work. Of course if you run httpd as root you are in serious trouble by this time as you have given away at least your shadow password file...
Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely documented. <Directory /*/public_html*> AllowOverride None Options Indexes SymLinksIfOwnerMatch </Directory>
I haven't seen apache or versions of NCSA httpd higher than 1.3 so I don't know about SymLinksIfOwnerMatch. The fix last time we did this was to not include FollowSymLinks. There is apparently an analogous directive for the CERN httpd. Regards, Martin. ######################################################################## # Martin Hargreaves Contract Unix System Administrator # # (martinh () paston co uk) Unix & Network Security, WWW # # Computational Chemistry # ########################################################################
Current thread:
- httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Martin Hargreaves (Sep 02)