Bugtraq mailing list archives
Re: HTTPD bug
From: jkonczal () nist gov (Joe Konczal)
Date: Tue, 18 Apr 1995 16:49:53 -0400
Martin J Hargreaves <ch11mh () surrey ac uk> writes:
Unfortunately just running as 'nobody' is not enough, you have to either disallow the following of symlinks in user directories (which is a good idea anyway), choose which users can have symlinks and have a more complex access list (this is NCSA httpd, I don't know about the CERN version), or lastly just allow any user to give the network read access to your system (may be option for those in a secure environment or who trust all the users on the system).
Aren't there plenty of other ways an untrusted user could distribute "other" readable files, like e-mail, news, a reference in his home page to another httpd on a high numbered port, printouts stapled to telephone poles, etc. Would you sleep better at night knowing that your untrusted users might be distributing your password file or any other files they can read without making the httpd follow symbolic links? -- Joseph C. Konczal <konczal () csmes ncsl nist gov> National Institute of Standards and Technology Tech. A62, Gaithersburg, MD 20899 USA (301) 975-3285 NIST Computer Security Resource Clearinghouse - http://csrc.ncsl.nist.gov
Current thread:
- Re: HTTPD bug Mr Martin J Hargreaves (Apr 16)
- Re: HTTPD bug Darren Reed (Apr 16)
- Re: HTTPD bug Baba Z Buehler (Apr 17)
- Re: HTTPD bug Mr Martin J Hargreaves (Apr 17)
- Re: HTTPD bug Joe Konczal (Apr 18)
- Re: HTTPD bug Mr Martin J Hargreaves (Apr 17)
- Re: HTTPD bug carson () lehman com (Apr 17)
- Re: HTTPD bug Tom Fitzgerald (Apr 17)