Mailing List Archive

Nope, this analysis is correct - changing the access.conf appropriately
fixes this. Is this now a security hole? If yes, I'll add the comment
about changing .htaccess, but leave it on known_bugs - if it's not a
security hole I'll move it to compat_notes. Thoughts?

Brian

On Sun, 20 Aug 1995, Robert S. Thau wrote:
> The Apache bugs page sez:
>
> 6.Symbolic filesystem links don't work properly with MultiViews
> content negotiation enabled. I.e., if you have a DocumentRoot of
> /www/docs with /www really being a symlink to /export/www/docs,
> content negotiation will not work.
>
> I tried duplicating this (making a symlink to DocumentRoot, and
> changing the DocumentRoot directive in srm.conf to point to the
> symlink). Sure enough, MultiViews doesn't work.
>
> However, if I then adjust the corresponding <Directory> entry in
> access.conf so that it names the symlink, rather than the name of the
> physical directory, then it works again --- the problem I see is
> simply that it isn't seeing the Options directive that applies to
> DocumentRoot if you get there by a different path.
>
> (FWIW, the test item for these was my MultiViews content-negotiated
> index.html).
>
> Any more details?
>
> rst
>

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/

Date: Sun, 20 Aug 1995 17:30:28 -0700 (PDT)
From: Brian Behlendorf <brian@organic.com>


Nope, this analysis is correct - changing the access.conf appropriately
fixes this. Is this now a security hole? If yes, I'll add the comment
about changing .htaccess, but leave it on known_bugs - if it's not a
security hole I'll move it to compat_notes. Thoughts?

Hmmm... it would be strange in compat_notes, since I'm pretty sure
that we aren't being incompatible with anything (that is, that the
NCSA base code itself wouldn't match a <Directory> section which named
the *target* of a symlink --- NB the problem applies to all Options,
not just MultiViews).

Also, I don't think it's a security hole if people have set up their
configuration correctly --- it does mean that Scungy Undergraduates
who have FollowSymlinks set on their own ~me directories can defeat
<Directory> restrictions by planting a symlink to the restricted
directory --- but if you're worried about that, you should have
FollowSymLinks turned off for them anyway.

"Pitfalls", perhaps?

rst

On Mon, 21 Aug 1995, Robert S. Thau wrote:
> From: Brian Behlendorf <brian@organic.com>
>
> Nope, this analysis is correct - changing the access.conf appropriately
> fixes this. Is this now a security hole? If yes, I'll add the comment
> about changing .htaccess, but leave it on known_bugs - if it's not a
> security hole I'll move it to compat_notes. Thoughts?
>
> Hmmm... it would be strange in compat_notes, since I'm pretty sure
> that we aren't being incompatible with anything (that is, that the
> NCSA base code itself wouldn't match a <Directory> section which named
> the *target* of a symlink --- NB the problem applies to all Options,
> not just MultiViews).
>
> Also, I don't think it's a security hole if people have set up their
> configuration correctly --- it does mean that Scungy Undergraduates
> who have FollowSymlinks set on their own ~me directories can defeat
> <Directory> restrictions by planting a symlink to the restricted
> directory --- but if you're worried about that, you should have
> FollowSymLinks turned off for them anyway.
>
> "Pitfalls", perhaps?

Okay, I've swallowed by bug-reporting pride and removed it from the
known_bugs list. I'll try and be more rigorous about bugs I report, I
know we have plenty to deal with anyways. :)

Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/