From nobody@hyperreal.com Tue May 20 19:12:38 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.5/8.8.5) id TAA10156; Tue, 20 May 1997 19:12:38 -0700 (PDT) Message-Id: <199705210212.TAA10156@hyperreal.com> Date: Tue, 20 May 1997 19:12:38 -0700 (PDT) From: Aveek Datta Reply-To: adatta@ml.org To: apbugs@hyperreal.com Subject: not enforced if seen through symlink. X-Send-Pr-Version: 3.2 >Number: 599 >Category: general >Synopsis: not enforced if seen through symlink. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue May 20 19:20:01 1997 >Last-Modified: Sun Jun 22 17:08:27 PDT 1997 >Originator: adatta@ml.org >Organization: >Release: 1.2b10 >Environment: Linux Redhat fresh install v4.1 (Colgate) GCC >Description: Here is the setup: is protected by AUTH_MSQL correctly. This directory is a directory not accessible by WWW in general, and is the real path. However .. (continued in next section) >How-To-Repeat: do this: ln -s /home/adatta/blah/blah /home/adatta/www or public_html, whatever your setup is, then the will NOT be protected. In other words, the Symlink overrides the true directory setting. >Fix: It's not a major problem. In fact, you probably know about it. I didn't, and it caused me some frustration on why it wasn't asking for authorization. However, I figured it out.. :) Just in case you didn't know about this 'feature' >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: dgaudet State-Changed-When: Sun Jun 22 17:08:26 PDT 1997 State-Changed-Why: Yes as you surmise we know about this. This is now documented under the FollowSymLinks option. Apache just follows the link, and doesn't rewrite the pathname that it is considering. So you would have to protect /home/adatta/www to get what you want. Thanks for using Apache! Dean >Unformatted: