Bug 28492

Summary: Apache does not like symbolic links pointing to directories in "Include" statements
Product: Apache httpd-2 Reporter: Henning Schmiedehausen <hps>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: normal CC: jari.aalto
Priority: P3    
Version: 2.1-HEAD   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Henning Schmiedehausen 2004-04-20 09:46:35 UTC
When including a directory of configuration files, the reference must not contain
a symbolic link. I e.g. have the following case:

/mnt/disk0/www.server1/<lots of virtual servers>.conf
/mnt/disk0/www.server2/<lots of virtual servers>.conf

/virtual/www.server1 --- symbolic link --> /mnt/disk0/www.server1/
/virtual/www.server2 --- symbolic link --> /mnt/disk0/www.server2/

If I put

Include /mnt/disk0/www.server1/*.conf

into httpd.conf, it works. If I put

Include /virtual/www.server1/*.conf

into httpd.conf, it works not. In the strace of the httpd process, it is visible
that apache tests, whether the /virtual/www.server1 reference is a directory but
gets an error and halts. 

Apache should test, whether an include reference is a symbolic link and if yes, 
test its target to be a directory.
Comment 1 André Malo 2004-04-20 09:59:56 UTC
That is by intention in order to avoid infinite loops. It just needs to be
better documented.
Comment 2 Henning Schmiedehausen 2004-04-20 14:01:53 UTC
Sorry to bother you, but IMHO this is still a bug.

We e.g. have a scenario where this include link points to an NFS mounted
directory which can change due to failover reasons. This is how I found the
problem. Basically I have a Include "/virtual/foo/*.conf" and the foo can be
dynamically change doing a failover and a httpd restart. Our current solution
rewrites the config files using sed and is awkward at best (pun intended).

Can we have an IncludeFollowLinksYesIveReadTheManualAndKnowAboutPossibleLoops
directive? :-)  (Would you accept patches?)

For content we have "FollowSymLinks".Why not the same thing for the configuration? 
Comment 3 André Malo 2004-04-21 07:22:03 UTC
I've finally found a way to stop include directive recursion (by using the pool
context). So I no longer see a need for the symlink stopper at all, hence I'm
going to patch it out. (just replacing ap_is_rdirectory with ap_is_directory in
ap_process_resource_config and process_resource_config_nofnmatch).

The recursion stopper is currently in 2.1 and proposed for backport into 2.0.
Comment 4 Henning Schmiedehausen 2004-04-21 09:02:38 UTC
Thanks a lot! This will really help me with our HA environments and future
releases of the httpd.
Comment 5 André Malo 2004-08-27 19:14:45 UTC
FYI: The fix will be in 2.0.51.
Comment 6 André Malo 2004-09-07 17:12:38 UTC
*** Bug 31099 has been marked as a duplicate of this bug. ***