On Fri, 3 Oct 2008, Nilesh Govindrajan wrote:

> /usr/pkg/etc/httpd/htpasswd owner is root and Apache runs as daemon /
> whatever you set in User directive. So its obviously not going to work
> with SymlinkIfOwnerMatch. You need FollowSymLinks in Options.

I don't think you understand my problem/question.

I don't want the symlink followed.

The problem is that SSI successfully follows the symlink when I think it
shouldn't.

> On Sat, Oct 4, 2008 at 2:52 AM, Paul B. Henson <henson <at> acm.org> wrote:
>
>
>
>       I'm running Apache 2.2.8, configured with SymlinkIfOwnerMatch and
>       server-side includes enabled.
>
>       It looks like the server-side include "include" directive ignores the
>       setting of SymlinkIfOwnerMatch?
>
>       For example, let's say I have an htpasswd configuration file outside of the
>       document root:
>
>       -rw-r-----   1 root     webservd       7 Oct  3 14:00 /usr/pkg/etc/httpd/htpasswd
>
>       If I then make a symbolic link to that from a user account:
>
>       lrwxrwxrwx   1 henson   csupomona      27 Oct  3 14:01 /user/henson/www/pass.html -> /usr/pkg/etc/httpd/htpasswd
>
>
>       Access is forbidden, with the following message in the log file:
>
>       [Fri Oct 03 14:01:51 2008] [error] [client 134.71.248.12] Symbolic link not
>       allowed or link target not accessible: /export/user/henson/www/pass.html
>
>
>       However, if I create a server parsed HTML file in the same directory
>       containing the following:
>
>              <!--#include file="pass.html" -->
>
>       When I request the .shtml file, the contents of the file pointed to by the
>       symbolic link are included.
>
>       I had thought that configuring server side includes with IncludesNoExec
>       was reasonably safe, but it would appear that such a configuration allows
>       any file readable by the web server itself to be served?
>
>       I took a look at mod_include.c, the include directive appears to be handled
>       by the handle_include function which calls either ap_sub_req_lookup_file or
>       ap_sub_req_lookup_uri depending on whether the include is file or virtual,
>       and then calls ap_run_sub_req to presumably handle dumping out the content
>       of the include.
>
>       As a sub request, I would have intuitively thought it would honor the
>       configuration setting regarding symbolic links?
>
>       Am I confused? Is there something wrong with my configuration? Is this an
>       expected behavior (I searched quite a bit and didn't find anything
>       relevant)?
>
>       Thanks much for any help...
>
>
>       --

>       Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/ <http://www.csupomona.edu/%7Ehenson/>

>       Operating Systems and Network Analyst  |  henson <at> csupomona.edu
>       California State Polytechnic University  |  Pomona CA 91768
>
>       ---------------------------------------------------------------------
>       The official User-To-User support forum of the Apache HTTP Server Project.
>       See <URL:http://httpd.apache.org/userslist.html> for more info.
>       To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
>         "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
>       For additional commands, e-mail: users-help <at> httpd.apache.org
>
>
>
>
>
>
>

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson <at> csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
  "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org