Disable symlink, possible?

Edho_P_Arief · June 17, 2009, 10:08am

Is it possible to disallow/disable nginx from following symlink?

Edho_P_Arief · June 17, 2009, 10:37am

Hello!

On Wed, Jun 17, 2009 at 02:57:53PM +0700, Edho P Arief wrote:

Is it possible to disallow/disable nginx from following symlink?

No.

The only way is to use filesystem without following symlinks
(mount -o nosymfollow under FreeBSD should do the trick, not sure
about Linux).

Maxim D.

Edho_P_Arief · June 19, 2009, 4:29pm

It’s not possible. Trying to do so would be a major performance hit.
With a feature like this, nginx would have to call stat() on every
element in the path to make sure it’s not a symlink.
So instead of one stat() on /usr/local/www/domain/htdocs/dir/foo/bar/
index.html, nginx would have to do nine!

Madness

Edho_P_Arief · June 19, 2009, 4:59pm

On Fri, Jun 19, 2009 at 9:18 PM, Avleen Vig[email protected] wrote:

It’s not possible. Trying to do so would be a major performance hit.
With a feature like this, nginx would have to call stat() on every element
in the path to make sure it’s not a symlink.
So instead of one stat() on
/usr/local/www/domain/htdocs/dir/foo/bar/index.html, nginx would have to do
nine!

Madness

how about apache’s -like directive?

maybe something like

filepath / { deny all; }

filepath /var/www { allow all; }

?

Edho_P_Arief · June 20, 2009, 11:54am

On Fri, Jun 19, 2009 at 10:53 PM, Christopher Smith[email protected]
wrote:

It always strikes me as odd when people want this functionality (and Apache is proof that they do). It seems far easier to employ such restrictions at write/create time, or at least offline, rather than as part of the read.

what are you suggesting to prevent people from symlinking to root from
their web folder?

Edho_P_Arief · June 20, 2009, 1:32pm

On Fri, 2009-06-19 at 23:43 +0700, Edho P Arief wrote:

On Fri, Jun 19, 2009 at 10:53 PM, Christopher Smith[email protected] wrote:

It always strikes me as odd when people want this functionality (and
Apache is proof that they do). It seems far easier to employ such
restrictions at write/create time, or at least offline, rather than as
part of the read.

what are you suggesting to prevent people from symlinking to root from
their web folder?

Hit them with a clue-by-four? I think history has adequately
demonstrated that there will never be a technological solution for human
stupidity. As a side-effect, we’ve also learned that too many safety
features often lead to careless mistakes, since people start assuming
the software will protect them from themselves, when the reality is that
it can’t.

Cliff