I'm glad to hear that hard links are working for you.
I'll try to include the hard link option in the next release.
>From: "Douglas Yatcilla" <yatcilda@umdnj.edu>
>It might be hard for suEXEC to track this down if the file you pass to
>it is a sym link to another sym link to another sym link (etc., etc.)
>before finally getting to the program to be executed. So, it decides
>instead to just reject all sym-linked programs instead.
Hmm, I can see that long or even infinitely deep linking would be a
problem. Instead of following the links indefinitely, it could loop a
small finite number of times. I bet the concern for problems in
this area is the reason it has not yet been fixed.
If it allows hard links but not symbolic links, then clearly the restriction
is not based on a security issue of linking to a program in another person's
space. Hard links have just as much of a problem with that.
>I just got a copy of cgiwrap (version 3.6.3) and it also refuses to
>execute target programs that are sym links (unless you indicate
>--without-check-symlink when you configure the program.)
Perhaps that is a new option. I've only used cgiwrap with
the default configuration as far as I know. I'll make an addition
to the documentation about this. Thanks.
>I made a copy of the linkIt() subroutine in setup.pl then modified it to
>create hard links instead of symbolic links. I renamed the original
>linkIt() subroutine to symlinkIt() then modified the setupScriptDirs()
>subroutine to use it to create sym links to the directories.
>
>Everything seemed to work OK and suEXEC did not complain.
Hmm, you might have just been lucky. The linkIt routine is used
to link directories and access files as well as scripts.
You can't hard link directories, although there may be no problem
with hard linking the access files.
The general solution must keep in mind that some installations might
have the document directories on a separate partition, and hard links
will not work across partitions although symbolic links will.
It is reasonable that all the scripts could be on the same partition,
so hard links should be OK for that.
>But, there are also the following places where the scripts (or links to
>scripts) are located:
>
> HyperNews/.scripts/
> HyperNews/.scripts/Admin/
> HyperNews/.scripts/SECURED/
> ...
There should only be the real HyperNews directory, and the real
subdirectories HyperNews/SECURED, HyperNews/Admin and HyperNews/.scripts.
All the scripts are in the .scripts directory and the hnrc config file
is in HyperNews/Admin/hnrc. Everything else should be
a symbolic link. From each directory, there is a link to the other
directories. This is so that from each directory, we can
get to the others by using the same path. Probably not all of those
links are necessary any more, however.
>It's hard for me to keep track of all of these directories and scripts
You shouldnt have to. There is an infinite number of subdirectories
if you want to follow them, e.g. HyperNews/.scripts/.scripts/.scripts/...,
but why trouble yourself?
>But, as you said, everything works now, which is what matters! Thanks
>for an interesing program.
Glad it works, but there is room for lots of improvements.
dan
|
Thanks for the hard link report 
Design question: why so many symbolic links?
(Douglas Yatcilla)
Changed setup.pl to use hard links; seems to work
(Douglas Yatcilla)
Error-log
by rguyer@dual-tech.com, 1999, Mar 20
