I think I am going to go with Bills suggestion, create a new user, have extremely restricted access for this user and run the Apache service under the context of this user... Thanks guys. Neelay --- "William A. Rowe, Jr." <wrowe@xxxxxxxxxxxxx> wrote: > Neelay Shah wrote: > > Well, there are some programs like "junction" > > available on sysinternals that supposedly make > hard > > link equivalent on windows...and the point is the > user > > can create a hard link to c:\ in his user dir. > > No that's a junction, and Apache2 should treat it as > a softlink. > > > and it will expose the whole hard drive and that > is why I am > > concerned about it...how to stop the web server > from > > following ... > > no, there are also 'ln' utilites to create win32 > hardlinks on NTFS. > You can do it on FAT, but i've always just used the > disk editor to > create those manually (they are -not- stable). > > You are better off setting up a user to 'run as', > change the > service to 'run as' that user, and set up absolutely > strict > permissions. > > I sort of misspoke before; the MFT entry for the > file on Windows, > as well as most *nix'es allow you to see how many > hard links point > to the given file (e.g. usually 1, the original). > You can't tell > if each is a hard or soft link. But it would > theoretically be > possible to hack apr and apache to deny hard links. > That would > deny the original and second link, of course, so it > would add > another vulnerability - making it possible for > another user to > 'deny' the existance of the original file. > > Bill > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|