Re: Re: Apache Security Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 15, 2008 at 3:36 AM, Andre Hübner <andre.huebner@xxxxxx> wrote:

>
> sorry, I think i verbalized not clear enough.  ;)
> essence is following:  The way of creating a symlink is irrelavant. In Most
> cases this is a script, but symlink is also creatable by just unpacking a
> archive with symlinks that points to other users files.
> Symlinks are very flexible and can even point to itself. A symbolic Link in
> Filesystem is always created even if target has to less permissions or is
> not existent. In this cases the link is just dead for the cgi-user that
> created it. But Link is not dead for apache user. If we think that other
> file is readable for apache cause is part of website than apache serves
> content of other users file. Apache seems in this case just to check if
> source and target of symlink is readable for apacheuser and serves file if
> is so. I can decrease chmod of targetfile but if it also should be servered
> by apache the group of the file have to be apchegroup and we have the case
> that ist still readable.
> I cannot stop creating symlinks by script or other ways. I could activate
> SymLinksIfOwnerMatch but user could change this with own .htaccess cause i
> grant AllowOverride All in httpd.conf
> Decreasing of AllowOverride Level to remove Options-Group is realy big step
> cause it would remove also further helpful things
> http://httpd.apache.org/docs/2.2/en/mod/core.html#options
> Hmm, best way would be to activate SymLinksIfOwnerMatch  without removing
> whole Options Directive.
>
> Now i have:
>
> <Directory "/my/path">
> AllowOverride FileInfo AuthConfig Limit Indexes
> Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
> </Directory>
>
> and symlinks to other users files are not permitted. But on the other hand
> every .htaccess which uses Options, php_flag, php_value directive (may be
> more) runs into 500 Error :(

You can do restrictions of particular options using the technique shown here:
http://httpd.apache.org/docs/2.2/howto/htaccess.html#how

But I have a feeling that there are other ways around your separation.
It depends on exactly the details of how you are running your scripts.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux