This experimental option can be used to open additional areas of the filesystem to unprivileged (not root), but restricted users.

For example, let's say you have a restricted user named joeuser whose restricted directory is /home/joeuser. Normally joeuser cannot access any file outside of /home/joeuser, but you want him to be able to access his web document root which is at /usr/local/apache/users/joeuser.

If you use this option to allow /usr/local/apache/users/joeuser, you could then do the following:

# cd /home/joeuser
# mkdir users
# ln -s /usr/local/apache/users/joeuser users/joeuser

This would create a virtual graft where the users/joeuser path would now point to /usr/local/apache/users/joeuser, so joeuser could access his web documents by FTP. In this case the graft point is the symbolic link joeuser which is in /home/joeuser/users.

Note that there is a limitation where the graft point must be the same name as the last directory node in your allow-path, so unfortunately the following would not work, because the last node in your allow-path of /usr/local/apache/users is users while the graft point is named public_html.

# ln -s /usr/local/apache/users/joeuser /home/joeuser/public_html

Examples:

allow-paths=/tmp|/usr/local/apache/users
#allow-paths=    (commented out)

Recommendation:

#allow-paths=    (commented out)