httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[martinh () paston co uk (Martin Hargreaves)]

Panzer (panzer () dhp com) wrote:

> OB BugTraq, does a user making a "~/public_html/root_dir -> /" link do
> what you think it does on your web server?  Maybe this isn't a hot
> idea...  Even worse if you nfs mount users pages via a web server that
> does other tasks also...

I think this list went through over this problem a few months ago, the
consensus being that if you don't trust your users then this is one of many
ways that they can compromise your system. I believe that with NCSA httpd
(at least on 1.3) that you need

<Directory /*/public_html*>
AllowOverride None
Options Indexes FollowSymLinks
</Directory>

For the problem to work. Of course if you run httpd as root you are in
serious trouble by this time as you have given away at least your shadow
password file...

> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
> about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely
> documented.
>
> <Directory /*/public_html*>
> AllowOverride None
> Options Indexes SymLinksIfOwnerMatch
> </Directory>

I haven't seen apache or versions of NCSA httpd higher than 1.3 so I don't
know about SymLinksIfOwnerMatch. The fix last time we did this was to not
include FollowSymLinks. There is apparently an analogous directive for the
CERN httpd.

        Regards,

                Martin.
########################################################################
#  Martin Hargreaves                Contract Unix System Administrator #
# (martinh () paston co uk)                  Unix & Network Security, WWW #
#                                              Computational Chemistry #
########################################################################