httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lou Langholtz <>
Subject Re: configfile_t.param
Date Tue, 02 Jun 1998 00:26:45 GMT
> BTW, your technique also fails on unixes which allow folks to "chown away"
> files.  For example, on IRIX you can "chown someoneelse .htaccess", and it
> will let you give away the file.
> Also on any unix I can:
>     mkdir public_html/teehee
>     cd public_html/teehee
>     ln -s ~victim/public_html/.htaccess
> and your fstat() will return the userid of the victim.
> Dean

Thanks. Good points.

Fortunately I can also use the behavior of the set
user id bit to get around chown'ing away the htacces file, and can lstat the
parms->config_file->name to disallow htaccess files that are symlinks.
Additionally I can check that the device and inode are the same between the
result from the fstat() and the lstat(). Have I missed anything?

Now how about we go back to discussing a standard way to get the htaccess
file descriptor :-) Also the, filename so long as I've brought it up. I'd
really like to avoid the case where the directives are read out of one
file and then security is tricked by lstat()'ing another file without
resorting to reparsing the htaccess file in my module. I can do that
I believe by checking that the inode and device numbers match between the
fstat() and the lstat() but only if I can get the descriptor for the fstat()

Just some extra details for anybody that got lost...

on the set user id bit behavior for anyone unfamiliar with
what we're talking about:

set user id bit is always cleared by the unix on any unix that allows
normal users to chown away files. otherwise you'd just be able to chown
your setusedid copy of /bin/sh to root and get a root shell.
so by checking if the file's set used id bit is on, one can be
assured that no one but root could have chown'd the file away,
thereby preventing chown victimization.

View raw message