From owner-freebsd-security  Thu Jun 20  4:53:29 2002
Delivered-To: freebsd-security@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 48A4737B403
	for <freebsd-security@freebsd.org>; Thu, 20 Jun 2002 04:53:24 -0700 (PDT)
Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 3.36 #1)
	id 17L0VX-000Jpy-00; Thu, 20 Jun 2002 13:53:47 +0200
Date: Thu, 20 Jun 2002 13:53:47 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: Mark Thomas <thomas@pbegames.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Apache 1.3.26 port
Message-ID: <20020620115347.GC73571@starjuice.net>
Mail-Followup-To: Mark Thomas <thomas@pbegames.com>,
	freebsd-security@FreeBSD.ORG
References: <200206200658470001.031DD337@mail.speakeasy.net> <B9364A85.2B69%jd@epylon.com> <200206200658470001.031DD337@mail.speakeasy.net> <5.1.0.14.2.20020620073651.02008090@pbegames.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20020620073651.02008090@pbegames.com>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On (2002/06/20 07:38), Mark Thomas wrote:

> OK, where exactly are these symlinks supposed to be? I upgraded 3 servers 
> last night with no issues (though in 2/3 cases I had non-standard locations 
> for data and cgi-bin directories). I just reviewed the apache13 port tree 
> and didn't see anything resembling the data.default symlink mentioned.

The symlinks aren't created if the cgi-bin and data directories already
exist.  They're only created so that a default installation of Apache
"works", in that http://localhost/ shows a page.  If you already have
cgi-bin and data directories, the port leaves them alone.

You can see the symlinks being created in the pkg-list:

| www/data.default/apache_pb.gif
| @exec [ -d %D/www/data/ ] || ln -fs %B %D/www/data
| [...]
| www/cgi-bin.default/printenv
| @exec [ -d %D/www/cgi-bin/ ] || ln -fs %B %D/www/cgi-bin

You can see support for removing the symlinks at uninstall time in the
pkg-plist:

| @unexec if [ -L %D/www/cgi-bin ]; then rm -f %D/www/cgi-bin; fi
| @unexec if [ -L %D/www/data ]; then rm -f %D/www/data; fi

So basically, folks who have their web content blown away by the port or
package have fallen victim to a process that's actually intended to make
things safe.

What was never considered was that people would leave the symlinks in
place.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message