The following reply was made to PR mod_access/3480; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Apache bugs database <[EMAIL PROTECTED]> Cc: Subject: Re: mod_access/3480: <Directory> directive acting strange (fwd) Date: Thu, 3 Dec 1998 22:19:10 -0800 (PST) ---------- Forwarded message ---------- Date: Thu, 03 Dec 1998 00:01:28 +0100 From: Jean-Marie de Boer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: mod_access/3480: <Directory> directive acting strange > As the docs say, if you enable the following of sym links > (see the Options directive) then symbolic links will be > followed. They are NOT treated as the "real" path, but > as the "virtual" path. ie. a link from /foo/bar/whee > to /whee will be treated as being /foo/bar/whee and > not /whee. Hello Marc, thanks for the reply. All of you make a great product. Still, I am wondering about this section on security, taken from http://www.apache.org/docs/misc/security_tips.html: For instance, consider the following example: 1.# cd /; ln -s / public_html 2.Accessing http://localhost/~root/ This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration: <Directory /> Order deny,allow etc. I am confused. In this example, public_html is a symlink, right? I can see that the example would close off /public_html and therefore / but it is not clear. A symlink has to be made to create this dangerous situation, and the solution does not prevent danger from symlinks. I do have another question on the same subject, if that's okay. I created a perl script which outputs a file from my /etc directory. (It's just a test you understand) This file resides in the scriptaliased cgi-bin of the (named) virtual host using these directives, and is being called via the webserver. The file from /etc is displayed. Am I correct in assuming that this is because the output is generated by the perl interpreter, and apache sees it as coming from the allowed space? Would mod_perl have the same behaviour? Thanks for yor time. Best regards, Jean-Marie de Boer Pulse.interactive -- If you think you have everything under control, you're not driving fast enough - Alain Prost *********************************************** Get my public pgp key from: http://sentient.pulse.nl/sentient_pgp_key.asc ***********************************************
