[ Team LiB ] Previous Section Next Section

11.7 Symbolic Links Lookup

The two options FollowSymLinks and SymLinksIfOwnerMatch are designed for the user's security. Unless FollowSymLinks is enabled, symbolic links will not be followed by the server. If SymLinksIfOwnerMatch is enabled, the server will follow symbolic links only when the target file or directory is owned by the same user as the link. Note that the two options are ignored if set within a <Location> block.

This protection costs a little overhead for each request. Wherever in your URL-space you do not have this setting:

Options FollowSymLinks

or you do have this setting:

Options SymLinksIfOwnerMatch

Apache will have to issue an extra call to lstat( ) per directory segment in the path to the file. For example, if you have:

DocumentRoot /home/httpd/docs
<Directory />
    Options SymLinksIfOwnerMatch
</Directory>

and a request is made for the URI /index.html, Apache will perform lstat( ) on these three directories and one file:

/home
/home/httpd
/home/httpd/docs
/home/httpd/docs/index.html

The deeper the file is located in the filesystem, the more lstat( ) system calls will be made. The results of these lstat( ) calls are never cached, so they will occur for every single request. If you really want the symbolic-links security checking, you can do something like this:

DocumentRoot /home/httpd/docs
<Directory />
    Options FollowSymLinks
</Directory>
<Directory /home/httpd/docs>
    Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>

This at least avoids the extra checks for the DocumentRoot path. Note that you'll need to add similar sections if you have any Alias or RewriteRule paths outside of your document root. For highest performance, and no symbolic link protection, set the FollowSymLinks option everywhere, and never set the SymLinksIfOwnerMatch option.

    [ Team LiB ] Previous Section Next Section