httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [PATCH] Enhancement to mod_auth
Date Sat, 08 Sep 2001 22:18:05 GMT
From: "Rodent of Unusual Size" <Ken.Coar@Golux.Com>
Sent: Saturday, September 08, 2001 5:49 AM

> * On 2001-09-08 at 08:34,
>   William A. Rowe, Jr. <> excited the electrons to say:
> > 
> > I've seen similar requests for require group.  While you are cautiously
> > modifing the 1.3 code base, would you please consider both?
> As I said in the preface, the actual patch does both 'require file-owner'
> and 'require file-group'.
> > Other than that, coolness, but please document that this is not a SECURE
> > method from a multi-user system, since anyone can create an .htpasswd file
> > that might cause the user to appear as a root or admin user, but is not.
> How do you mean?  Linux does not let you chgrp a file to any group
> of which you are not a member; neither does T64U, nor FreeBSD, nor
> any other Unixish system with which I am familiar..  Can you spell
> out the scenario you have in mind?

What you describe is likely secure.  The converse is not.

A vhost user creates an .htpasswd file containing;

Now that user can 'pretend' to be root, accessing root's files (provided they
were not secured) in spite of the fact that another vhost user believed that
file was protected by 'their' .htpasswd file (with the same user list, and
different vhosts.)

It is difficult to misassign the file ownership.  Impersonation is not always
that difficult, however, especially where two configs may point at the same
folders (and _nobody_ 'prefers' to work with .htaccess, due to performance.)

> > This must be documented as a convience facility, not a security facility.
> I will wait for your explanation before I commit to this, since I
> do not see the hole.

The system is as secure as the password and configuration files for the web
server.  In vhost'ed environments with multiple vhosts, it must be pointed
out that two different authz methods might yield the same 'apparent user'
if the overall system isn't locked down under a single administration.


View raw message