Hi Folks,
I've got a situation that needed a solution. Say I have a directory in
my htdocs that contains:
frames.html - a document
index.html -> frames.html - a symbolic link
hacker.txt -> /etc/passwd - another symbolic link
I'd like to allow the index.html link to work, but deny the hacker.txt
one. Disallowing the FollowSymLinks option kills both links.
SymLinksIfOwnerMatch option helps, but I have numerous authors
on my server so I cannot guarantee the same owner on each file.
Tried something like this:
<Directory /usr/local/etc/httpd/htdocs>
Order allow,deny
Allow from all
</Directory>
<Directory />
Order deny, allow
Deny from all
</Directory>
but a request for htdocs/hacker.txt doesn't seem to realize the
file is really in /etc, so it sends the file out. (Perhaps I
missed something here?)
The solution I came up with is to write an access handler to
evaluate symlinked filepaths and test the absolute path against
a set of rules.
I called the module Apache::BlockSymLinks since it is based on
Apache::BlockAgent. The code can be downloaded from:
http://mosa.unity.ncsu.edu/brabec/dist/Apache-BlockSymLinks-0.1.tar.gz
and the manpage is online at:
http://mosa.unity.ncsu.edu/brabec/dist/BlockSymLinks.html
I'm considering adding this module to CPAN and/or the APML, so I'm
looking for comments. Specifically,
is this useful to others?
have I reinvented the wheel?
any suggestions for additions or modifications?
Thanks,
Charles
--
Dr. Charles J. Brabec | He wants me to be clever. Worse, he wants me to be
Web Systems Programmer | seen to be clever by everyone here. -- Miles
[EMAIL PROTECTED] | Vorkosigan (L.M. Bujold)
PH 919.513.0171 |
