Hi List, System: Suse 10.1, Apache 2.2.8 it seems that i have a security problem with script-created symlinks.I have a little php-script that creates with symlink(); a symbolic link to other file of other user. when starting this script as nonroot using php-cli it is successful only if chmod of targetfile is high enough (world-readable) i can view files. Now the problem, content of symlinked file is visible when viewing by http-request http://example.com/linkname
background ist that i provide php-modul as well php-cgi. Homefolder of users are chowned to user.nogroup to grant reading for apachegroup. chmod of every home is 750, this stops normal reading with fopen etc. files within the userhome are chowned to user.user and there should be a world readable flag for apache. but this makes files readable when symlinked.
I think i cannot stop the creation of "dead" symlinks by any scriptlanguage.I could set Option +SymLinksIfOwnerMatch but i grant allowOverride All in httpd.conf and i had to deactivate whole Option-Group. Just activating SymLinksIfOwnerMatch with no chance for users to deactivate should be the best in my case. Someone with know-how to this issue? Or are there ohter ways to ensure security?
Thanks Andre --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|