I know we discussed this a while back, but I was looking at the
code last night and it looks like Apache will not allow root-owned
links to bypass the OPT_SYM_OWNER check.
The change in http_request.c to do this is trivial (I think):
if (stat (d, &fi) < 0) return FORBIDDEN;
+ if (lfi.st_uid == (uid_t)0) return (OK); /* root-owned links are OK */
+
return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN;
[.note: I placed it after the stat because I think it should still
be checking that the destination of the link is stat-able]
However, given that the change is easy, have I missed something else?
Is there a reason I shouldn't do this in the first place?
.....Roy
code last night and it looks like Apache will not allow root-owned
links to bypass the OPT_SYM_OWNER check.
The change in http_request.c to do this is trivial (I think):
if (stat (d, &fi) < 0) return FORBIDDEN;
+ if (lfi.st_uid == (uid_t)0) return (OK); /* root-owned links are OK */
+
return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN;
[.note: I placed it after the stat because I think it should still
be checking that the destination of the link is stat-able]
However, given that the change is easy, have I missed something else?
Is there a reason I shouldn't do this in the first place?
.....Roy