Neelay Shah wrote:
Well, there are some programs like "junction" available on sysinternals that supposedly make hard link equivalent on windows...and the point is the usercan create a hard link to c:\ in his user dir.
No that's a junction, and Apache2 should treat it as a softlink.
and it will expose the whole hard drive and that is why I am concerned about it...how to stop the web server from following ...
no, there are also 'ln' utilites to create win32 hardlinks on NTFS. You can do it on FAT, but i've always just used the disk editor to create those manually (they are -not- stable). You are better off setting up a user to 'run as', change the service to 'run as' that user, and set up absolutely strict permissions. I sort of misspoke before; the MFT entry for the file on Windows, as well as most *nix'es allow you to see how many hard links point to the given file (e.g. usually 1, the original). You can't tell if each is a hard or soft link. But it would theoretically be possible to hack apr and apache to deny hard links. That would deny the original and second link, of course, so it would add another vulnerability - making it possible for another user to 'deny' the existance of the original file. Bill --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|