Bugtraq mailing list archives
Re: httpd symlinks
From: dsr () lns61 tn cornell edu (Daniel S. Riley)
Date: Mon, 4 Sep 1995 16:21:05 -0400
Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely documented.
SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is also broken. Here's the bug report I submitted to the ncsa-httpd team: SymLinksIfOwnerMatch can be trivially defeated. The check code basically does lstat(path,&fi); [...] bsz = readlink(path,realpath,256); [...] lstat(realpath,&lfi); if(fi.st_uid != lfi.st_uid) goto gong; which can be fooled by creating a soft link to a soft link to the target file. The second lstat should be a stat(), and the whole thing could be substantially simplified--something like lstat(path,&fi); if(!(S_ISREG(fi.st_mode))) { if(opts[n] & OPT_SYM_OWNER) { if (stat(path,&lfi) == -1) goto gong; if(fi.st_uid != lfi.st_uid) goto gong; } should be sufficient (be sure to fix both instances).
Current thread:
- Re: httpd symlinks Daniel S. Riley (Sep 04)
- Re: httpd symlinks Jon Lewis (Sep 04)
- <Possible follow-ups>
- Re: httpd symlinks Panzer Boy (Sep 07)