The following reply was made to PR general/1402; it has been noted by GNATS.
From: [EMAIL PROTECTED]
To: Dean Gaudet <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: general/1402: Relative Symlinks are handled improperly
Date: 14 Nov 1997 08:49:42 -0000
Dean Gaudet wrote:
>
> > I was really tired and really cranky. My hand was hurting. You're right.
> > I hate bug reports like that too. Especially they're misinterpretations of
> > the problem.
>
> No problem, I apologize too for the curtness of my reply.
>
> > As some penance, I got your address from internic and just wrote you a
> > personal check. Expect it next week. Sorry again...what else can I say?
> > And thank you.
>
> That's not necessary I assure you!
Doesn't matter. It's consistent with my view of how the world ought to
work and how people ought to behave...not necessarily by making everything a
financial transaction, but by saying "thank you" in some tangible way.
Spread the meme.
> SymLinksIfOwnerMatch works until you copy a users directory as described
> ... but a malicious user could have done "ln -s / hahaha" and it would
> become a hole after a restore or home directory movement. So if we treat
> root specially we open this subtle attack.
ok, thanks for explaining it. Did I mention that I hate it when bug
compatibility interferes with otherwise sensible design decisions?
I really do.
> > > If you want this to change then submit a feature request. As documented
> > > Apache does not do this. Symlinks are never expanded. If you want a
> > > personal opinion, I'll give you mine: relying on symlink protection in
> > > Apache is a bad idea. The only real solution is a chroot() cage.
> >
> > You're right. That's better.
>
> I'm working on another security model for Apache ... I'm trying to figure
> out another solution to this problem. But I'm too busy lately to get
> anywhere on the work. chroot() should be easier in the model; including
> chroot() compartments for CGI users. I'll announce it when I've got
> something to show.
Oooooooooooooooooh! Baited breath, etc...
Stig
