On Sat, Apr 19, 2008 at 1:50 PM, Emmanuel E <emmanuel.e@xxxxxxx> wrote: > From the manual > > http://httpd.apache.org/docs/2.2/mod/core.html#options > > > > Omitting this option should not be considered a security restriction, > since symlink testing is subject to race conditions that make it > circumventable. > > A symlink can be added/removed/changed between the time that apache tests for it and the time when apache retrieves the target file. This means a determined person with local shell access (and some programming skills) can symlink content into the webspace even if symlinks are not allowed by the Options directive. In the end, this is not a serious issue since someone with local shell access could also simply copy any file they want into the webspace. But it is important to be aware that symlink restrictions are not absolute. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|