httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [PATCH] various security problems
Date Mon, 07 Jul 1997 04:13:04 GMT
I wonder if we couldn't get further with something that works on absolute
paths.  i.e. when symlinks are followed, start processing the absolute
path, or provide directives that match the absolute path.  In the end
though we're doing a lot of work for little gain ... we need to protect so
much of the code, ugh. 

Your module is simple enough, and catches another trouble case.  But it
just begs for extension ... like "disallow uids < 100" :)  I'm happy
including it as is though. 

Dean

On Thu, 3 Jul 1997, Lou D. Langholtz wrote:

> Dean Gaudet wrote:
> > 
> > Summary:  There's a bunch of ways to bypass the symlink restrictions, or
> > otherwise serve up any file on the system.
> > . . .
> 
> Just a reminder on an old post I made...
> 
> On this thread, FollowSymlinksIfOwnersMatch can also be circumvented by
> users by telling there sys-admin to restore one of there web directories
> containing some symlinks which often doesn't preserve the symlink owner.
> Now they got root owned symlinks which is just perfect for pointing at /
> and voila, they can export the whole filesystem tree (just about).
> 
> If anybody wants additional protection against Symlink dangers I wrote a
> simple module a while back and put it at
> <http://www.eng.utah.edu/~ldl/apache/modules/disallow_id/>. I've also
> recently updated it to compile more cleanly with 1.2.0 as well as 1.1.*
> 


Mime
View raw message