File permissions must always permit execution of php pages by web servers. And symlink is followed and code executed because web servers must have access to that directory and code. We can operate with php security options too and obtain the same result but what if we cannot modify them? We are uncovered!!!
Agreed, but I think that, in this case, the real problem would be an insecure configuration of the underlying webserver: any security-aware administrator should configure it to NOT follow symlinks or, at last, follow them if and only if the destination file belongs to the same user (SymLinksIfOwnerMatch directive in Apache).
-- BlueRaven
Did you know that, if you play a Windows 2000 CD backwards, you will hear the voice of Satan? That's nothing! If you play it forward, it will install Windows 2000!!!
