httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Suggestion for security tips page.
Date Wed, 28 Jan 2004 13:38:36 GMT
On Tue, 2 Dec 2003, Jani Mikkonen wrote:

> Atleast in the machines i've setup for apache use, i have a lot of
> people doing the actual content to the webpages. Most if not all of
> those webmasters use emacs to edit their pages. And as you know, by
> default emacs creates a backup file to the same dir with the ~ character
> at the end of the original filename. This a possible security breaches
> when webmasters are editing script files (cgi/php/ssi/mod_perl stuff)
> that might have have sensible data like passwords/ip addresses of
> internal machines or something similar. And since execution of these
> serverside scripting languages usually depend on extension of the
> filename, filename such as "database_connection.php~" would not be
> executed thru php module and thus the actual code could be read by
> anyone knowning the url.
> 
> The obvious fix for this problem is to educate the webmasters not to
> copy the stuff into live site OR erase the files after they are done but
> this will most likely happen only after the temperature reaches 0C in
> downstairs where the bsd mascot runs the show.
> 
> But to make things that these files are not presented to the user, i
> allways check that my httpd.conf includes following:
> 
> <Files ~ "\~$">
>     Order allow,deny
>     Deny from all
> </Files>
> 
> I think this falls into a pretty much same category like the protection
> of ^\.ht files, so propably this could be added to default configuration
> file that ships with the source if it seems necessery ?

I'm somewhat torn on this one. a rule like this encourages people to do
stupid things. Don't edit files on the live server.

On the other hand, it is an important security consideration.

On the other hand (running out of hands here) where do we draw the line.
Do we need a rule for vi swap files? MS Word swap files? Pico swap
files?

-- 
And everyone said, "If we only live, 
We too will go to sea in a Sieve -
To the hills of the Chankly Bore!"
 (The Jumblies, by Edward Lear)


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message