Re: Apache Security Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm a little confused by exactly what problem you are trying to solve.
Am I right that you could do exactly the same thing by just having
your CGI script copy the relevant file into the webspace rather than
using a symlink?

If so, then this is just the standard issue with privilege separation
that is discussed here:
http://wiki.apache.org/httpd/PrivilegeSeparation

Joshua.

sorry, I think i verbalized not clear enough.  ;)
essence is following: The way of creating a symlink is irrelavant. In Most cases this is a script, but symlink is also creatable by just unpacking a archive with symlinks that points to other users files. Symlinks are very flexible and can even point to itself. A symbolic Link in Filesystem is always created even if target has to less permissions or is not existent. In this cases the link is just dead for the cgi-user that created it. But Link is not dead for apache user. If we think that other file is readable for apache cause is part of website than apache serves content of other users file. Apache seems in this case just to check if source and target of symlink is readable for apacheuser and serves file if is so. I can decrease chmod of targetfile but if it also should be servered by apache the group of the file have to be apchegroup and we have the case that ist still readable. I cannot stop creating symlinks by script or other ways. I could activate SymLinksIfOwnerMatch but user could change this with own .htaccess cause i grant AllowOverride All in httpd.conf Decreasing of AllowOverride Level to remove Options-Group is realy big step cause it would remove also further helpful things http://httpd.apache.org/docs/2.2/en/mod/core.html#options Hmm, best way would be to activate SymLinksIfOwnerMatch without removing whole Options Directive.

Now i have:

<Directory "/my/path">
AllowOverride FileInfo AuthConfig Limit Indexes
Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
</Directory>

and symlinks to other users files are not permitted. But on the other hand every .htaccess which uses Options, php_flag, php_value directive (may be more) runs into 500 Error :(

Andre

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux