Disable - Symbolic Linked Files

porigromus · December 29, 2024, 10:33pm

1. The problem I’m having:

I have been researching how to disable following symbolic linked files, which potentially allow unauthorized access to restricted files. When accessing restricted requires authentication, if I create a symlink file in share, I can get to restricted.
My CaddyFile:

10.2.2.35 {
root * /share
basic_auth /restricted/* {
bob
****** hash here *****
}
file_server {
browse
}
log {
output file /var/log/caddy/access.log
format json
}
}

2. Error messages and/or full log output:

No Error Message, question on how to stop the following of symlinks from share to anywhere.

3. Caddy version:

caddy --version
v2.8.4

4. How I installed and ran Caddy:

pkg install caddy

a. System environment:

freebsd

b. Command:

service caddy start

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

Config works, I am able to access my share and auth to the restricted. However I am able to bypass auth by creating a symlink in share.

10.2.2.35 {
     root * /share
     basic_auth /restricted/* {
        bob 
****** hash here *****
     }
   file_server {
         browse
     }
     log {
         output file /var/log/caddy/access.log
         format json
     }
 }

5. Links to relevant resources:

caddy runs as user/group that has read access to share and restricted.

Mohammed90 · December 30, 2024, 8:25pm

I’d argue if they shouldn’t be followed, they shouldn’t be present in the root directory. That aside, you probably can prevent following the symlink by assigning different user or permission bits that disallow the user Caddy runs with.

porigromus · December 30, 2024, 9:48pm

Thanks for the response. There isn’t or shouldn’t be any symlinks in the root directory. This was more of a security measure to prevent any accidents or exploitation. The issue is if I disallow the user caddy runs as, the authenticated user would also not be able to access the restricted directory.

system · January 29, 2025, 9:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.