On Sat, 11 Jul 1998, Wojtek Sylwestrzak wrote:
> we are running hundreds of mirrors, and most of them use symlinks internally, > so we cannot ignore this. On the other hand, we make them all accessible > with httpd that follows symlinks. We are being quite naive here :-( Incidentally, if you don't enable "Options FollowSymLinks" then that'll give you some amount of protection, but at the expense of cpu/system time. Your mirrors probably all live on dedicated partitions -- or on non-root partitions. So you could take a look at mod_allowdev <http://www.arctic.org/~dgaudet/apache/1.3/mod_allowdev.c>. I'll include the comments from the code below. Dean /* Why do you want this? Let me put it this way: the symlink protection options (FollowSymLinks and SymLinksIfOwnerMatch) are lame in many ways: - They're slow, they require a component by component stat() and/or lstat(). - They're hard to get correct because apache won't readlink() so it doesn't rewrite the destination. This can lead to situations where you thought you had protected a filesystem, but you really hadn't because a symlink may let the user into it. - They're overkill. Frequently all you're trying to do is to protect /etc from being served, and frequently /etc is on a partition that users' files are not on (if not you've got other problems, see a book on unix security). There's an easier way to do this. We just tell Apache what *devices* we are willing to serve files from. That's what this module does. */ /* Usage: Stick an appropriate "AddModule modules/extra/mod_allowdev.o" directive at the very bottom of your src/Configuration file, rebuild. Static mount points: This probably covers most internet servers. You list all the mount points that have content you wish to serve on the net like this: AllowDev /mount-point1 /mount-point2 ... For example, "AllowDev /var" would allow any file on the /var device to be served. Note that, for example, "AllowDev /var/foo" where foo is not a mount point, probably doesn't do what you expect. This case too would allow all files on /var to be served. Dynamic mount points: This probably covers most intranet servers. AllowDevDynamic regex subst If the file to be served matches regex, then perform subst. The resulting path must be on the same device as the file served. For example: AllowDevDynamic /home/([^/]*)/public_html /home/$1 Says that if a file /home/userid/public_html/foobar is to be served, then its device must match /home/userid. */
