Project

General

Profile

Actions
Copy link

Bug #1896

closed

follow symlinks + userdir

Added by Looris about 15 years ago. Updated about 15 years ago.

Status:
Invalid
Priority:
High
Category:
mod_userdir
Target version:
-
ASK QUESTIONS IN Forums:

Description

I noticed that "follow symlinks" is enabled by default even if userdirs are enabled.
This of course should never happen, since it gives to every user access to read any file that can be read by www-data.
Hints:
social_engineer@badhost:~public_html$ ln -s /path/to/file.php file.txt
social_engineer@badhost:~public_html$ ln -s /etc

IMAO you should either disallow having both options enabled, or at least check if the owner matches before following a symlink. By default. (apache has such an option but couldn't find it here).

Actions
Copy link
 #1

Updated by stbuehler about 15 years ago

  • Status changed from New to Invalid

Our config system doesn't work that way. If you don't like follow-symlinks, disable it yourself.

Actions
Copy link
 #2

Updated by Looris about 15 years ago

stbuehler wrote:

Our config system doesn't work that way. If you don't like follow-symlinks, disable it yourself.

that's retarded, but as you wish

Actions
Copy link

Also available in: Atom