Re: Apache Security Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, May 14, 2008 at 10:31 AM, Andre Hübner <andre.huebner@xxxxxx> wrote:
> Hi List,
>
> System: Suse 10.1, Apache 2.2.8
>
> it seems that i have a security problem with script-created symlinks.
>
> I have a little php-script that creates with symlink();  a symbolic link to
> other file of other user.
> when starting this script as nonroot using php-cli it is successful only if
> chmod of targetfile is high enough (world-readable) i can view files.
> Now the problem, content of symlinked file is visible when viewing by
> http-request  http://example.com/linkname
>
> background ist that i provide php-modul as well php-cgi. Homefolder of users
> are chowned to user.nogroup to grant reading for apachegroup. chmod of every
> home is 750, this stops normal reading with fopen etc. files within the
> userhome are chowned to user.user and there should be a world readable flag
> for apache. but this makes files readable when symlinked.
>
> I think i cannot stop the creation of "dead" symlinks by any scriptlanguage.
> I could set Option +SymLinksIfOwnerMatch  but i grant allowOverride All in
> httpd.conf and i had to deactivate whole Option-Group.
> Just activating SymLinksIfOwnerMatch  with no chance for users to deactivate
> should be the best in my case.
> Someone with know-how to this issue? Or are there ohter ways to ensure
> security?

I'm a little confused by exactly what problem you are trying to solve.
Am I right that you could do exactly the same thing by just having
your CGI script copy the relevant file into the webspace rather than
using a symlink?

If so, then this is just the standard issue with privilege separation
that is discussed here:
http://wiki.apache.org/httpd/PrivilegeSeparation

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux