/usr/pkg/etc/httpd/htpasswd owner is root and Apache runs as daemon / whatever you set in User directive. So its obviously not going to work with SymlinkIfOwnerMatch. You need FollowSymLinks in Options.
On Sat, Oct 4, 2008 at 2:52 AM, Paul B. Henson <[EMAIL PROTECTED]> wrote: > > I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and > server-side includes enabled. > > It looks like the server-side include "include" directive ignores the > setting of SymlinkIfOwnerMatch? > > For example, let's say I have an htpasswd configuration file outside of the > document root: > > -rw-r----- 1 root webservd 7 Oct 3 14:00 > /usr/pkg/etc/httpd/htpasswd > > If I then make a symbolic link to that from a user account: > > lrwxrwxrwx 1 henson csupomona 27 Oct 3 14:01 > /user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd > > > Access is forbidden, with the following message in the log file: > > [Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic link > not > allowed or link target not accessible: /export/user/henson/www/pass.html > > > However, if I create a server parsed HTML file in the same directory > containing the following: > > <!--#include file="pass.html" --> > > When I request the .shtml file, the contents of the file pointed to by the > symbolic link are included. > > I had thought that configuring server side includes with IncludesNoExec > was reasonably safe, but it would appear that such a configuration allows > any file readable by the web server itself to be served? > > I took a look at mod_include.c, the include directive appears to be handled > by the handle_include function which calls either ap_sub_req_lookup_file or > ap_sub_req_lookup_uri depending on whether the include is file or virtual, > and then calls ap_run_sub_req to presumably handle dumping out the content > of the include. > > As a sub request, I would have intuitively thought it would honor the > configuration setting regarding symbolic links? > > Am I confused? Is there something wrong with my configuration? Is this an > expected behavior (I searched quite a bit and didn't find anything > relevant)? > > Thanks much for any help... > > > -- > Paul B. Henson | (909) 979-6361 | > http://www.csupomona.edu/~henson/<http://www.csupomona.edu/%7Ehenson/> > Operating Systems and Network Analyst | [EMAIL PROTECTED] > California State Polytechnic University | Pomona CA 91768 > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nilesh Govindrajan ([EMAIL PROTECTED]) iTech7 Site and Server Administrator www.itech7.com
