On Thu, May 15, 2008 at 3:36 AM, Andre Hübner <andre.huebner@xxxxxx> wrote: > > sorry, I think i verbalized not clear enough. ;) > essence is following: The way of creating a symlink is irrelavant. In Most > cases this is a script, but symlink is also creatable by just unpacking a > archive with symlinks that points to other users files. > Symlinks are very flexible and can even point to itself. A symbolic Link in > Filesystem is always created even if target has to less permissions or is > not existent. In this cases the link is just dead for the cgi-user that > created it. But Link is not dead for apache user. If we think that other > file is readable for apache cause is part of website than apache serves > content of other users file. Apache seems in this case just to check if > source and target of symlink is readable for apacheuser and serves file if > is so. I can decrease chmod of targetfile but if it also should be servered > by apache the group of the file have to be apchegroup and we have the case > that ist still readable. > I cannot stop creating symlinks by script or other ways. I could activate > SymLinksIfOwnerMatch but user could change this with own .htaccess cause i > grant AllowOverride All in httpd.conf > Decreasing of AllowOverride Level to remove Options-Group is realy big step > cause it would remove also further helpful things > http://httpd.apache.org/docs/2.2/en/mod/core.html#options > Hmm, best way would be to activate SymLinksIfOwnerMatch without removing > whole Options Directive. > > Now i have: > > <Directory "/my/path"> > AllowOverride FileInfo AuthConfig Limit Indexes > Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch > </Directory> > > and symlinks to other users files are not permitted. But on the other hand > every .htaccess which uses Options, php_flag, php_value directive (may be > more) runs into 500 Error :( You can do restrictions of particular options using the technique shown here: http://httpd.apache.org/docs/2.2/howto/htaccess.html#how But I have a feeling that there are other ways around your separation. It depends on exactly the details of how you are running your scripts. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|