Added disable_symlinks directive. To completely disable symlinks (disable_symlinks on) we use openat(O_NOFOLLOW) for each path component to avoid races. To allow symlinks with the same owner (disable_symlinks if_not_owner), use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW), and then compare uids between fstat() and fstatat(). As there is a race between openat() and fstatat() we don't know if openat() in fact opened symlink or not. Therefore, we have to compare uids even if fstatat() reports the opened component isn't a symlink (as we don't know whether it was symlink during openat() or not). Default value is off, i.e. symlinks are allowed.

commit: bd1e719bf9c4bc58076e7b52e87be645c9b803f5 [log] [tgz]
author: Andrey Belov <defan@nginx.com> Mon Feb 13 16:29:04 2012 +0000
committer: Andrey Belov <defan@nginx.com> Mon Feb 13 16:29:04 2012 +0000
tree: f1c94ff9e91e2d2594ba9d1ae7f92120cca36722
parent: 32c8df44d5f53026d92ec24bcf4c864359395e55 [diff] [blame]
diff --git a/src/core/ngx_open_file_cache.h b/src/core/ngx_open_file_cache.h
index 436de30..0ff3453 100644
--- a/src/core/ngx_open_file_cache.h
+++ b/src/core/ngx_open_file_cache.h

@@ -32,6 +32,10 @@
 
     ngx_uint_t               min_uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 test_dir:1;
     unsigned                 test_only:1;
     unsigned                 log:1;
@@ -64,6 +68,10 @@
 
     uint32_t                 uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 count:24;
     unsigned                 close:1;
     unsigned                 use_event:1;
commit	bd1e719bf9c4bc58076e7b52e87be645c9b803f5	[log] [tgz]
author	Andrey Belov <defan@nginx.com>	Mon Feb 13 16:29:04 2012 +0000
committer	Andrey Belov <defan@nginx.com>	Mon Feb 13 16:29:04 2012 +0000
tree	f1c94ff9e91e2d2594ba9d1ae7f92120cca36722
parent	32c8df44d5f53026d92ec24bcf4c864359395e55 [diff] [blame]