httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lou Langholtz <...@chpc.utah.edu>
Subject Re: configfile_t.param
Date Tue, 02 Jun 1998 17:36:27 GMT
Dean Gaudet wrote:

> On Mon, 1 Jun 1998, Lou Langholtz wrote:
>
> > > BTW, your technique also fails on unixes which allow folks to "chown away"
> > > files.  For example, on IRIX you can "chown someoneelse .htaccess", and it
> > > will let you give away the file.
> > >
> > > Also on any unix I can:
> > >
> > >     mkdir public_html/teehee
> > >     cd public_html/teehee
> > >     ln -s ~victim/public_html/.htaccess
> > >
> > > and your fstat() will return the userid of the victim.
> > >
> > > Dean
> >
> > Thanks. Good points.
> >
> > Fortunately I can also use the behavior of the set
> > user id bit to get around chown'ing away the htacces file, and can lstat the
> > parms->config_file->name to disallow htaccess files that are symlinks.
> > Additionally I can check that the device and inode are the same between the
> > result from the fstat() and the lstat(). Have I missed anything?
>
> hard links.

. . .

Dean, I've though about hard links and am afraid to tell you that I can't see how
they could work around all the checks I've mentioned so far. I'd imagine you've
had to consider this a lot more times than I though. But if I'm really missing
something on hard links, please explain how they could comprimise the checks.

Thanks.


Mime
View raw message