koji 1.8.0-1 'toplink' Apache configuration

[John Morris]

On 06/18/2013 11:03 PM, Mike McLean wrote:
> On 06/15/2013 02:39 PM, John Morris wrote:
>> Hi list,
>>
>> Updated to koji-1.8.0-1 over here.
>>
>> Koji repos reference local package URLs under the /kojifiles directory.
>>   Since the previous version installed here, symlinks named 'toplink'
>> have been placed in generated repos' top level directories.  The symlink
>> is included package URL paths, and without 'FollowSymLinks' added to
>> Apache's /kojifiles directory options, package URLs break.
> 
> Using toplink allows koji to create yum repos without a fixed baseurl 
> (rpm paths remain relative to the repo itself). This makes koji's repos 
> much more sane.
> 
>> Of course the Apache 'FollowSymLinks' behavior is disabled by default
>> because of security implications.  There may be a more secure
>> configuration, but we're not worried about that in our environment.  If
>> others don't chime in with advice for more secure options, do your
>> homework when security is a consideration in your environment!
> 
> Actually, FollowSymlinks is the default in the current apache httpd.
> http://httpd.apache.org/docs/current/mod/core.html#options
> 
> """
> FollowSymLinks
>      The server will follow symbolic links in this directory. This is 
> the default setting.
> """
> 
> This may be new in 2.4.

You nailed it!

We're on el6 over here (can't afford the upgrading effort at the
frequency of Fedora releases) with apache 2.2.  The same docs for 2.2
omit that statement about the default:

https://httpd.apache.org/docs/2.2/mod/core.html#options

I must have come across this before, since the 'latest' links would have
broken too.  My original config used 'SymLinksIfOwnerMatch'.  This broke
with the 'topdir' links because our top-level koji directory was owned
by root, not apache.

As for the security question, it says it right there:  symlinks are
potentially insecure even when these options are omitted.

Thanks, Mike.

	John