Added disable_symlinks directive.

To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.

To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().

As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not.  Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).

Default value is off, i.e. symlinks are allowed.

1 files changed, 8 insertions, 0 deletions

diff --git a/src/core/ngx_open_file_cache.h b/src/core/ngx_open_file_cache.h
index 436de3060..0ff345318 100644
--- a/src/core/ngx_open_file_cache.h
+++ b/src/core/ngx_open_file_cache.h
@@ -32,6 +32,10 @@ typedef struct {
 
     ngx_uint_t               min_uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 test_dir:1;
     unsigned                 test_only:1;
     unsigned                 log:1;
@@ -64,6 +68,10 @@ struct ngx_cached_open_file_s {
 
     uint32_t                 uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 count:24;
     unsigned                 close:1;
     unsigned                 use_event:1;