From nobody@hyperreal.com Thu Apr 24 14:34:36 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.4/8.8.4) id OAA04270; Thu, 24 Apr 1997 14:34:36 -0700 (PDT) Message-Id: <199704242134.OAA04270@hyperreal.com> Date: Thu, 24 Apr 1997 14:34:36 -0700 (PDT) From: Bob Mikrut Reply-To: bob@doit.wisc.edu To: apbugs@hyperreal.com Subject: Symlinks still followed even if FollowSymLinks not in options X-Send-Pr-Version: 3.2 >Number: 480 >Category: mod_access >Synopsis: Symlinks still followed even if FollowSymLinks not in options >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Apr 24 14:40:01 1997 >Originator: bob@doit.wisc.edu >Organization: >Release: 1.2b8 >Environment: AIX 4.2 and AIX 4.1.4 xlc 3.1.4 >Description: If user 'bob' has a symlink in '/u/bob/public_html', the link is followed even if: a. FollowSymLink is not in any option line b. SymLinkIfOwnerMatch is in the option line c. -FollowSymLink is included This is in the stanza: AllowOverride None Options Indexes Includes ExecCGI -FollowSymLinks SymLinksIfOwnerMatch order deny,allow deny from all allow from .adp.wisc.edu .doit.wisc.edu (Note we use 'WWW' instead of 'public_html' The symlink can be to '/' even and the link is followed, allowing the user to look at the entire directory tree. I apologize for this in the hope that I have made a config error. If this is not the case, then I believe this is a serious bug. >How-To-Repeat: I currently have no such links on any of my sites. If it is unreproducible on your site, please contact me and I will create such a link temporarily for you. Bob >Fix: >Audit-Trail: From: Marc Slemko To: Bob Mikrut Subject: Re: mod_access/480: Symlinks still followed even if FollowSymLinks not in options Date: Thu, 24 Apr 1997 17:23:40 -0600 (MDT) On Thu, 24 Apr 1997, Bob Mikrut wrote: [...] > If user 'bob' has a symlink in '/u/bob/public_html', the link is > followed even if: > a. FollowSymLink is not in any option line > b. SymLinkIfOwnerMatch is in the option line > c. -FollowSymLink is included > This is in the stanza: > > > AllowOverride None > Options Indexes Includes ExecCGI -FollowSymLinks SymLinksIfOwnerMatch > > order deny,allow > deny from all > allow from .adp.wisc.edu .doit.wisc.edu > > Erm... you are setting those options for /home/, not /u/. One may be a symlink to the other, but you need to use the right one. Does changing /home/ to /u/ in the Directory bit make it work correctly? State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Fri Apr 25 22:28:11 PDT 1997 State-Changed-Why: User reports issue resolved. From: Marc Slemko To: Bob Mikrut Subject: Re: mod_access/480: Symlinks still followed even if FollowSymLinks not in options Date: Fri, 25 Apr 1997 23:32:53 -0600 (MDT) On Fri, 25 Apr 1997, Bob Mikrut wrote: > Marc, > > Well, yes, it did work. I changed /home/*/WWW to > /u/*/WWW and it no longer allowed the link to be followed. > > This is not what I would have expected. The real name of > the filesystem is /home (/u is a symlin from / to it). > I was sure that I needed to use the real name of it!?!?!?!? > > Oh, well, now we're both happy. You don't have a bug and > I get the feature. > > Sorry to trouble you and thanks for the fast response. > It should depend on what is listed in the password file; if a user's home directory is listed as in /u/, you need /u/ while if it is in /home/ you need /home/. If you have both, you may need to put both in. >Unformatted: >Last-Modified: Fri Apr 25 22:28:12 PDT 1997