The following reply was made to PR general/1402; it has been noted by GNATS.
From: Dean Gaudet <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: general/1402: Relative Symlinks are handled improperly Date: Fri, 14 Nov 1997 00:57:17 -0800 (PST) On 14 Nov 1997 [EMAIL PROTECTED] wrote: > WEIRD ITEM #1: > > Indexing a directory that contains symlinks causes spurious logging of file > access failures. There is no attempt to access the files themselves, > therefore the logging seems erroneous. What's up here is a deficiency in the API as currently implemented, well ok that depends on how you interpret the symlink rules in the config language. One interpretation is that the symlink rules say that all symlinks the server might use in the process of handling a request have to be allowed by the symlink settings. Another interpretation is that they only apply to the first document accessed. Related to this are the tests which check if a file is a "special" file, i.e. a fifo/socket/device. To be useful these have to be applied on all potentially questionable file accesses. The indexing function runs a sub_req_lookup_file() on all the names it finds, and that sub_req_lookup_file() goes through all the symlink and special file checks. The subrequest is required at a minimum to decide what the content type is so that the icon can be constructed. But the subrequest generates warnings and errors just like it would if it were a full request. Subrequests are used like this frequently in the server. But they're not the only reason subrequests are used. In other cases, such as content-negotiation and mod_include, the subrequest is actually run to generate output. In this case the subrequest errors are really useful (and the symlink/special checks are absolutely necessary). But in the case of the subrequests that never get run, the errors/warnings are almost always not useful. Fixing this is not easy in our current model... I'm not even sure these symlink tests are absolutely necessary in the case of some subrequests, but it's not something I really like thinking about. I'd rather find some other way to protect things. An idea just occured to me: a really cheap way to protect a root filesystem from being served is to check st_dev in the stat structure and only allow serving from particular devices. Hmmm. At any rate ... does this explain this weirdness any? Dean > > > -- [EMAIL PROTECTED] -- /var/log/httpd >> htcat > http://hackvan.com/pub/stig/funny/rants/ > GET http://hackvan.com/pub/stig/funny/rants/ HTTP/1.0 > > HTTP/1.1 200 OK > Date: Fri, 14 Nov 1997 07:31:58 GMT > Server: Apache/1.2.4 > Connection: close > Content-Type: text/html > > <HTML><HEAD> > <TITLE>Index of /pub/stig/funny/rants</TITLE> > </HEAD><BODY> > <H1>Index of /pub/stig/funny/rants</H1> > <PRE><IMG SRC="/icons/blank.gif" ALT=" "> Name Last > modified Size Description > <HR> > <IMG SRC="/icons/back.gif" ALT="[DIR]"> <A HREF="/pub/stig/funny/">Parent > Directory</A> 03-Nov-97 16:35 - > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="clumsy-morning-coffee">clumsy-morning-coffee</A> 26-Jan-97 22:14 > 5k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-chains">hermann-hates-chains</A> 27-Oct-96 12:16 > 10k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-communication">hermann-hates-communi..</A>11-Oct-96 > 08:52 8k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-dogs">hermann-hates-dogs</A> 09-Aug-96 08:05 11k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-getting-old">hermann-hates-getting..</A>30-Sep-96 12:10 > 9k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-mainstream-music">hermann-hates-mainstr..</A>24-Nov-96 > 10:02 6k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-neighbors">hermann-hates-neighbors</A>10-Feb-97 15:36 > 8k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-the-drug-war">hermann-hates-the-dru..</A>19-Mar-97 15:40 > 14k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-hates-the-movies">hermann-hates-the-mov..</A>13-Sep-96 09:58 > 11k > <IMG SRC="/icons/unknown.gif" ALT="[ ]"> <A > HREF="hermann-loves-a-few-things-too">hermann-loves-a-few-t..</A>11-Feb-97 > 22:36 12k > </PRE></BODY></HTML> > -- [EMAIL PROTECTED] -- /var/log/httpd >> jato.hackvan.com - - > [13/Nov/1997:23:31:58 -0800] "GET http://hackvan.com/pub/stig/funny/rants/ > HTTP/1.0" 200 1667 > > ==> /var/log/httpd/errors.hackvan <== > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-chains failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-communication failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-dogs failed for jato.hackvan.com, > reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-getting-old failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-mainstream-music failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-neighbors failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-the-drug-war failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-hates-the-movies failed for > jato.hackvan.com, reason: Symbolic link not allowed > [Thu Nov 13 23:31:58 1997] access to > /u/ftp/pub//stig/funny/rants/hermann-loves-a-few-things-too failed for > jato.hackvan.com, reason: Symbolic link not allowed > htcat http://hackvan.com/pub/stig/funny/rants/hermann-hates-neighbors >
