httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject security hole patch
Date Mon, 17 Apr 1995 20:36:34 GMT

It looks like we need this...

> >From whitis Wed Nov  9 06:05:08 1994
> Subject: Security patch for HTTPD 1.3
> To: httpd@ncsa.uiuc.edu
> Date: Wed, 9 Nov 1994 06:05:08 -0500 (EST)
> Cc: cert@cert.org, mike (Michael M. Chapman), jeg7e (Jon Gefaell),
> 	rdunbar@nasm.edu, juphoff@polaris.cv.nrao.edu
> X-Mailer: ELM [version 2.4 PL24]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
> Content-Length: 4839      
> Status: R
> 
> This message contains a patch for NCSA httpd version 1.3 that
> allows the server maintainer to close a security hole without
> substantially restricting the functionality of the server on
> many systems.
> 
> The NCSA httpd (versions 1.1 to 1.3) has a known security bug that if
> you enable symbolic links in the options directive for a particular
> directory subtree (or fail to specify an options directive for 
> a particular directory), users can create symbolic links in their
> public_html directories which point to dangerous places such as
> "/", or "/etc", allowing them (and anyone else) to read ANY file
> on the system (such as shadow password files) when the httpd
> is running as root (which is the case if httpd is called by inetd
> regardless of what user you specify for httpd to run as in httpd.conf).
> 
> This security hole can be closed by specifying an options directive
> which does not allow symbolic links or which only allows symbolic
> links if the owners match (SymLinksIfOwnerMatch).  Unfortunately,
> if some or all users on the system have symbolic links for their
> home directories (i.e. /home/user --> /disk1/user), the httpd will
> refuse to allow access to those directories if you restrict symbolic
> links for the appropriate directory trees (i.e. /home or /home/*/.html/*)
> although it will work if you create individual entries for each
> affected user in access.conf (i.e.  /home/user1, /home/user2).  This
> is simply not practical on many systems.
> 
> In actual practice, I have been able to exploit this bug on every
> system I have an account on which runs httpd from inetd.  Furthermore,
> on virtually all of the systems I normally use, it is not practical
> to close this security hole without applying this patch.
> 
> This patch allows httpd to follow symbolic links if you specify
> the "SymLinksIfOwnerMatch" option and the link points to a file/directory
> owned by the owner of the link (original behavior) OR if the
> link is owned by root.  
> 
> This patch has not been thoroughly tested; it does, however,
> seem to work precisely as intended.
> 
> In addition to applying this patch, it is necessary to create
> entries in access.conf to specify appropriate options directives
> for any directories owned by untrusted users which srm.conf
> allows access to and for trusted users to exercise appropriate 
> caution in less restricted directories.
> 
> This patch does not solve the problem that if you do not specify
> a directory tree in access.conf but do allow access to that
> directory via srm.conf, the default options are "all".  This
> requires careful maintenance of the configuration files.
> 
> This active presence of this security hole was brought to my attention by 
> Mike Chapman (mike@hopper.itc.virginia.edu).
> 
>  - Mark Whitis (whitis@nasm.edu) 
> 
> ---------------------- cut here ------------
*** http_access.c.orig	Wed Nov  9 04:36:16 1994
--- http_access.c	Wed Nov  9 05:07:06 1994
***************
*** 5,11 ****
   * 
   */
  
! 
  #include "httpd.h"
  
  int in_domain(char *domain, char *what) {
--- 5,18 ----
   * 
   */
  
! /* Changes made by Mark Whitis (whitis@nasm.edu) 11/9/94 to allow */
! /* server to follow symbolic links owned by root.  This is necessary */
! /* if you have symbolic links of the form /home/user --> /bigdisk/user */
! /* but want to deny ordinary users the ability to create symbolic links */
! /* to files they don't own (such as /etc).  You must allow symbolic*/
! /* links if owner matches for this patch to help you.  Do not allow */
! /* access to user mountable filesystems in your access.conf file */
! /* or someone could create a symbolic link owned by root. */
  #include "httpd.h"
  
  int in_domain(char *domain, char *what) {
***************
*** 156,162 ****
                                  getparents(realpath);
                              }
                              lstat(realpath,&fi);
!                             if(fi.st_uid != lfi.st_uid)
                                  goto bong;
                          }
                          else {
--- 163,169 ----
                                  getparents(realpath);
                              }
                              lstat(realpath,&fi);
!                             if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
                                  goto bong;
                          }
                          else {
***************
*** 202,208 ****
                      getparents(realpath);
                  }
                  lstat(realpath,&lfi);
!                 if(fi.st_uid != lfi.st_uid)
                      goto gong;
              }
              else {
--- 209,215 ----
                      getparents(realpath);
                  }
                  lstat(realpath,&lfi);
!                 if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
                      goto gong;
              }
              else {


Mime
View raw message