Is it possible to disallow/disable nginx from following symlink?
Hello!
On Wed, Jun 17, 2009 at 02:57:53PM +0700, Edho P Arief wrote:
Is it possible to disallow/disable nginx from following symlink?
No.
The only way is to use filesystem without following symlinks
(mount -o nosymfollow under FreeBSD should do the trick, not sure
about Linux).
Maxim D.
It’s not possible. Trying to do so would be a major performance hit.
With a feature like this, nginx would have to call stat() on every
element in the path to make sure it’s not a symlink.
So instead of one stat() on /usr/local/www/domain/htdocs/dir/foo/bar/
index.html, nginx would have to do nine!
Madness
On Fri, Jun 19, 2009 at 9:18 PM, Avleen Vig[email protected] wrote:
It’s not possible. Trying to do so would be a major performance hit.
With a feature like this, nginx would have to call stat() on every element
in the path to make sure it’s not a symlink.
So instead of one stat() on
/usr/local/www/domain/htdocs/dir/foo/bar/index.html, nginx would have to do
nine!Madness
how about apache’s -like directive?
maybe something like
filepath / { deny all; }
filepath /var/www { allow all; }
?
On Fri, Jun 19, 2009 at 10:53 PM, Christopher Smith[email protected]
wrote:
It always strikes me as odd when people want this functionality (and Apache is proof that they do). It seems far easier to employ such restrictions at write/create time, or at least offline, rather than as part of the read.
what are you suggesting to prevent people from symlinking to root from
their web folder?
On Fri, 2009-06-19 at 23:43 +0700, Edho P Arief wrote:
On Fri, Jun 19, 2009 at 10:53 PM, Christopher Smith[email protected] wrote:
It always strikes me as odd when people want this functionality (and
Apache is proof that they do). It seems far easier to employ such
restrictions at write/create time, or at least offline, rather than as
part of the read.what are you suggesting to prevent people from symlinking to root from
their web folder?
Hit them with a clue-by-four? I think history has adequately
demonstrated that there will never be a technological solution for human
stupidity. As a side-effect, we’ve also learned that too many safety
features often lead to careless mistakes, since people start assuming
the software will protect them from themselves, when the reality is that
it can’t.
Cliff