On Thu, Sep 26, 2002 at 01:30:23PM +0800, Patrick Hsieh wrote: > Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options, > there's still some security issue. For example, someone cp /etc/passwd > to his home directory(/home/foo/passwd), create a symbolic link from > /home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches, > it will still lead to exposure of passwd file. Is there any way to avoid > this? I'd like to restrict the symbolic link from linking across the > DocumentRoot, idea?
Easiest way to avoid it being a problem is to use shadow passwords... -- Baloo
msg03715/pgp00000.pgp
Description: PGP signature
