Added disable_symlinks directive. To completely disable symlinks (disable_symlinks on) we use openat(O_NOFOLLOW) for each path component to avoid races. To allow symlinks with the same owner (disable_symlinks if_not_owner), use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW), and then compare uids between fstat() and fstatat(). As there is a race between openat() and fstatat() we don't know if openat() in fact opened symlink or not. Therefore, we have to compare uids even if fstatat() reports the opened component isn't a symlink (as we don't know whether it was symlink during openat() or not). Default value is off, i.e. symlinks are allowed.

--- a/src/core/ngx_open_file_cache.h
+++ b/src/core/ngx_open_file_cache.h
@@ -32,6 +32,10 @@ typedef struct {
 
     ngx_uint_t               min_uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 test_dir:1;
     unsigned                 test_only:1;
     unsigned                 log:1;
@@ -64,6 +68,10 @@ struct ngx_cached_open_file_s {
 
     uint32_t                 uses;
 
+#if (NGX_HAVE_OPENAT)
+    unsigned                 disable_symlinks:2;
+#endif
+
     unsigned                 count:24;
     unsigned                 close:1;
     unsigned                 use_event:1;