>> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure >> about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely >> documented. SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is also broken. Here's the bug report I submitted to the ncsa-httpd team: SymLinksIfOwnerMatch can be trivially defeated. The check code basically does lstat(path,&fi); [...] bsz = readlink(path,realpath,256); [...] lstat(realpath,&lfi); if(fi.st_uid != lfi.st_uid) goto gong; which can be fooled by creating a soft link to a soft link to the target file. The second lstat should be a stat(), and the whole thing could be substantially simplified--something like lstat(path,&fi); if(!(S_ISREG(fi.st_mode))) { if(opts[n] & OPT_SYM_OWNER) { if (stat(path,&lfi) == -1) goto gong; if(fi.st_uid != lfi.st_uid) goto gong; } should be sufficient (be sure to fix both instances).