SSI/server-side includes and symbolic links/SymlinkIfOwnerMatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
server-side includes enabled.

It looks like the server-side include "include" directive ignores the
setting of SymlinkIfOwnerMatch?

For example, let's say I have an htpasswd configuration file outside of the
document root:

-rw-r-----   1 root     webservd       7 Oct  3 14:00 /usr/pkg/etc/httpd/htpasswd

If I then make a symbolic link to that from a user account:

lrwxrwxrwx   1 henson   csupomona      27 Oct  3 14:01 /user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd


Access is forbidden, with the following message in the log file:

[Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic link not
allowed or link target not accessible: /export/user/henson/www/pass.html


However, if I create a server parsed HTML file in the same directory
containing the following:

	<!--#include file="pass.html" -->

When I request the .shtml file, the contents of the file pointed to by the
symbolic link are included.

I had thought that configuring server side includes with IncludesNoExec
was reasonably safe, but it would appear that such a configuration allows
any file readable by the web server itself to be served?

I took a look at mod_include.c, the include directive appears to be handled
by the handle_include function which calls either ap_sub_req_lookup_file or
ap_sub_req_lookup_uri depending on whether the include is file or virtual,
and then calls ap_run_sub_req to presumably handle dumping out the content
of the include.

As a sub request, I would have intuitively thought it would honor the
configuration setting regarding symbolic links?

Am I confused? Is there something wrong with my configuration? Is this an
expected behavior (I searched quite a bit and didn't find anything
relevant)?

Thanks much for any help...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@xxxxxxxxxxxxx
California State Polytechnic University  |  Pomona CA 91768

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux