Symbol Links amongst Apache's served files, is this a security-don't?

jzacsh · February 10, 2010, 7:01pm

I read somewhere that you should make sure Apache is configured to not allow symbolic links to be followed outside the webroot, as this can compromise security.

I can imagine how this could lead to a security risk:
eg:

I link to a folder I know is safe (has no other links inside of it)
$ ls -lF /etc/www
blog/
content/
compStuff -> /home/me/web_stuff/

$ ls -lF /home/me/web_stuff/
ascii_file1
ascii_file2
So, because there's no links sitting in /home/me/web_stuff/ I think, "there's no chance the public might end up wandering any further outside the web root than they already have...". The bottom line is really that this is simply bad practice, because over time I may naturally forget that this web_stuff directory is exposed and in turn end up placing symbolic links inside /home/me/web_stuff/

Is my assumption correct? -- Is it nothing more than: "its just bad practice, because it leaves you open to make such above ^ mistakes"? Or is it more technically complicated and truly a direct security threat?
Are all symbolic links bad news inside of Apache served spaces? Eg. what about symbolic links linking to another directory within the web root?
I like symbolic links -- this would be a pain to have to avoid!

Thanks for the help!