Re: Apache Security Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

You can do restrictions of particular options using the technique shown her=
e:
http://httpd.apache.org/docs/2.2/howto/htaccess.html#how

But I have a feeling that there are other ways around your separation.
It depends on exactly the details of how you are running your scripts.

Joshua.

I only can repeat. The way how to create the symlink is irrelevant. With Scriptingtechniques no reading of the files of other user is possible. (openbasedir/permission denied etc.) Creating "dead" symlinks is allowed and cant be forbidden. Only Apache has read privileges. example.com/file.txt shows php-source if symlink is: ln -s /path/to/otheruser/config.php file.txt Symlink could be created by every CGI-Application like php/perl etc.Notice that AllowOverride All is activated by default. It would be useful if SymLinksIfOwnerMatch could be activated separatly and not be bypass by user .htaccess in SubFolders.

I changed now apache-source. (2.2.8) In server/core.c (1315, 1439) i changed function call from OPT_SYM_LINKS to OPT_SYM_OWNER So every time when apache hits a symlink it is testet for correct ownermatch and could not bypass by the user. Should be the best in my cast just without to deny whole bunch of Options. Im not a C-Programmer so i would be happy if someone could confirm that my changes are not risky etc.

Thanks
Andre

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux