TUX is designed to have very strict security. This is possible because
the assistant user-space daemons is used to handle the complex exceptions.
TUX only serves a file if
The URL does not contain ?.
The URL does not start with /.
The URL points to a file that exists.
The file is world-readable.
The file is not a directory.
The file is not executable.
The file does not have the sticky-bit set.
The URL does not contain any forbidden substrings such as
Configurable through the sysctl parameters in /proc/sys/net/tux