Hi List,
System: Suse 10.1, Apache 2.2.8
it seems that i have a security problem with script-created symlinks.
I have a little php-script that creates with symlink(); a symbolic link to
other file of other user.
when starting this script as nonroot using php-cli it is successful only if
chmod of targetfile is high enough (world-readable) i can view files.
Now the problem, content of symlinked file is visible when viewing by
http-request http://example.com/linkname
background ist that i provide php-modul as well php-cgi. Homefolder of users
are chowned to user.nogroup to grant reading for apachegroup. chmod of every
home is 750, this stops normal reading with fopen etc. files within the
userhome are chowned to user.user and there should be a world readable flag
for apache. but this makes files readable when symlinked.
I think i cannot stop the creation of "dead" symlinks by any scriptlanguage.
I could set Option +SymLinksIfOwnerMatch but i grant allowOverride All in
httpd.conf and i had to deactivate whole Option-Group.
Just activating SymLinksIfOwnerMatch with no chance for users to deactivate
should be the best in my case.
Someone with know-how to this issue? Or are there ohter ways to ensure
security?
Thanks Andre
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]