Hello "nate" <[EMAIL PROTECTED]>, OK. This is my situation. I am running mutiple apache server which all mount nfsserver:/var/www/ as their local /var/www and share the same storage via nfs.
Is apache any configuration to avoid symbolic link across documentroot? I hope to keep the consistency of the content of DocumentRoot because of NFS. Symbolic link outside the document could possibly lead to inconsistency. On Wed, 25 Sep 2002 22:44:38 -0700 (PDT) "nate" <[EMAIL PROTECTED]> wrote: > Patrick Hsieh said: > > Hello list, > > > > Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options, > > there's still some security issue. For example, someone cp /etc/passwd to > > his home directory(/home/foo/passwd), create a symbolic link from > > /home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches, > > it will still lead to exposure of passwd file. Is there any way to avoid > > this? I'd like to restrict the symbolic link from linking across the > > DocumentRoot, idea? > > if your trying to protect the passwd file, good luck! Someone > could just as easily cat the file into another html file, or copy and > rename it in their public_html directory. > > If you want to "obscure" your user accounts I reccomend using a > distributed login system such as LDAP, NIS, NIS+ and put all > non-system accounts in the database(theres no harm in a remote > user seeing what system accounts you have I think since they > are default to the system, they could install a copy of debian > and see what the accounts were if they wanted). That way > /etc/passwd has no real useful information. > > I do this with LDAP, it works well, I wroteup a large "HOWTO" > on the subject: > > http://howto.linuxpowered.net/ldap/ldap.html > > IMO ldap is more secure then NIS/NIS+ because it does not depend > upon RPC services(which historically have many security problems). > > nate > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
