Bugtraq mailing list archives

Re: httpd symlinks

From: dsr () lns61 tn cornell edu (Daniel S. Riley)
Date: Mon, 4 Sep 1995 16:21:05 -0400

Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely
documented.


SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken.  Here's the bug report I submitted to the ncsa-httpd
team:

    SymLinksIfOwnerMatch can be trivially defeated.  The check code
    basically does

        lstat(path,&fi);
        [...]
        bsz = readlink(path,realpath,256);
        [...]
        lstat(realpath,&lfi);
        if(fi.st_uid != lfi.st_uid)
                goto gong;

    which can be fooled by creating a soft link to a soft link to the
    target file.  The second lstat should be a stat(), and the whole
    thing could be substantially simplified--something like

        lstat(path,&fi);
        if(!(S_ISREG(fi.st_mode))) {
            if(opts[n] & OPT_SYM_OWNER) {
                if (stat(path,&lfi) == -1)
                    goto gong;
                if(fi.st_uid != lfi.st_uid)
                    goto gong;
            }


    should be sufficient (be sure to fix both instances).

Current thread:

Re: httpd symlinks Daniel S. Riley (Sep 04)
- Re: httpd symlinks Jon Lewis (Sep 04)
- <Possible follow-ups>
- Re: httpd symlinks Panzer Boy (Sep 07)