Run the user's FCGI/node/whatever handlers as the user (I run all my stuff out of daemontools, it's absolutely perfect for this sort of thing) and then tell nginx to proxy to them. Have all content owned by the user, and they can setup whatever permissions they like to prevent bad actors from getting at their stuff.
It seems to be that mount --bind is the solution I was looking for. There are reasons for and against the usage of ln -s vs mount --bind, but it seems to be common practice to mount a device several times on linux systems (even mounting single files onto other files is encouraged in man mount) and it seems that system stability isn’t seriously affected.
Only drawback is of course that, if mount points are not fixed by modifying /etc/fstab, they will get lost upon server restart.
One more word to WebDAV: There was an internet draft (which has expired meanwile) to extend the WebDAV specification in order to allow “advanced collections”, which should offer the capability of handling links, too. Work was spent on that question in about 1998—2002, then the toppic disappeared silently. You might find several pages on the internet claming that WebDav supports symbolic links by means of advanced collections, but currently, this is not the case. Current (v.1.0.3-1.3.6) mod_dav source code reads:
/* ### for now, only process regular files (e.g. skip symlinks) */
if (S_ISREG(fsctx->info1.finfo.st_mode)) {
One might expect that the Tomcat 6’s WebDAV module could be unaware of symbolic links (as, afaik, awareness of such file system special stuff wasn’t incorporated into the Java model before version 7), but it shows the same behaviour, thus conforming to the specification, too.
Last, a symlink patch for mod_dav-1.0.3-1.3.6 has been published, but you will have to apply the patch onto the source code and compile the module yourself … I didn’t try that.
Best Answer
Use the
disable_symlinksdirective: