On Fri, 3 Oct 2008, Nilesh Govindrajan wrote:I don't think you understand my problem/question.
> /usr/pkg/etc/httpd/htpasswd owner is root and Apache runs as daemon /
> whatever you set in User directive. So its obviously not going to work
> with SymlinkIfOwnerMatch. You need FollowSymLinks in Options.
I don't want the symlink followed.
The problem is that SSI successfully follows the symlink when I think it
shouldn't.
> Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ <http://www.csupomona.edu/%7Ehenson/>
> On Sat, Oct 4, 2008 at 2:52 AM, Paul B. Henson <henson@xxxxxxx> wrote:
>
>
>
> I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
> server-side includes enabled.
>
> It looks like the server-side include "include" directive ignores the
> setting of SymlinkIfOwnerMatch?
>
> For example, let's say I have an htpasswd configuration file outside of the
> document root:
>
> -rw-r----- 1 root webservd 7 Oct 3 14:00 /usr/pkg/etc/httpd/htpasswd
>
> If I then make a symbolic link to that from a user account:
>
> lrwxrwxrwx 1 henson csupomona 27 Oct 3 14:01 /user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd
>
>
> Access is forbidden, with the following message in the log file:
>
> [Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic link not
> allowed or link target not accessible: /export/user/henson/www/pass.html
>
>
> However, if I create a server parsed HTML file in the same directory
> containing the following:
>
> <!--#include file="pass.html" -->
>
> When I request the .shtml file, the contents of the file pointed to by the
> symbolic link are included.
>
> I had thought that configuring server side includes with IncludesNoExec
> was reasonably safe, but it would appear that such a configuration allows
> any file readable by the web server itself to be served?
>
> I took a look at mod_include.c, the include directive appears to be handled
> by the handle_include function which calls either ap_sub_req_lookup_file or
> ap_sub_req_lookup_uri depending on whether the include is file or virtual,
> and then calls ap_run_sub_req to presumably handle dumping out the content
> of the include.
>
> As a sub request, I would have intuitively thought it would honor the
> configuration setting regarding symbolic links?
>
> Am I confused? Is there something wrong with my configuration? Is this an
> expected behavior (I searched quite a bit and didn't find anything
> relevant)?
>
> Thanks much for any help...
>
>
> --
> Operating Systems and Network Analyst | henson@xxxxxxxxxxxxx
> California State Polytechnic University | Pomona CA 91768
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
>
>
>
>
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson@xxxxxxxxxxxxx
California State Polytechnic University | Pomona CA 91768
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|