httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: v. 2.2 Documentation errors? (in mod/core.html#options and misc/security_tips.html#protectserverfiles)
Date Sat, 13 Dec 2008 03:40:59 GMT
On Thu, Dec 11, 2008 at 6:23 PM, Christopher Drost
<chris.drostie@gmail.com> wrote:

> After all, the FollowSymLinks attack allows any user to show anybody
> on the web the contents of your root folder with zero effort, and
> opens itself up to accidental abuses. The race condition attack looks
> relatively difficult and resource-intensive, and would probably
> require, to be practical, access to execute an arbitrary file; it
> reveals information only to Mallory. (Though, again, he can presumably
> then copy the files to a web-accessible directory.)  In fact, if we
> assume that an executable file is required to really get the timings
> right, then Mallory might be stopped if he can't run the chmod command
> to make the file executable in the first place. And if we don't allow
> Apache to listen on 127.0.0.1 (is that possible?) then Mallory might
> have to route his requests through the Internet, making it very
> difficult to get the race condition timing just right.

I wrote the note about FollowSymLinks not being a security restriction
based on some bug reports and a response (by Roy, if I remember
correctly) stating that nobody should expect FollowSymLinks to be
secure in the first place. Since the docs implied otherwise, I changed
the docs.

You are most likely correct that the race conditions are "relatively"
hard to exploit. But the "relatively" is very difficult to quantify.
So if you don't really know what you are doing, you shouldn't expect
to be protected by turning off symlinks. If you know what you are
doing, then you should understand the limits implied by the statement
in the docs without further explanation. We aren't going to include a
treatise on symlink race conditions in the Options docs.

Yes, omitting FollowSymLinks is a perfectly valid way of preventing
you from accidentally shooting yourself in the foot. But I don't
consider that to be a security restriction.

Joshua.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message