httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@conman.org (Sean Conner)
Subject Re: [users@httpd] Securing Apache configuration
Date Fri, 12 Aug 2005 03:29:40 GMT
It was thus said that the Great Neelay Shah once stated:
>
> --- "Roger B.A. Klorese " <rogerk@queernet.org> wrote:
> 
> > Hard links don't exist in Windows, do they?
> > 
> > And on Linux and other Unixen they require suitable
> > permissions on the 
> > object.
> 
> Well, there are some programs like "junction"
> available on sysinternals that supposedly make hard
> link equivalent on windows...and the point is the user
> can create a hard link to c:\ in his user dir. and it
> will expose the whole hard drive and that is why I am
> concerned about it...how to stop the web server from
> following ...

  But who is this "user" and why are you so concerned about it?  

  But in any case ... 

  Don't run Apache.

  Or restrict the number of people that can work on the box [4].

  Or (and I'm not sure how hard links would work under Windows but I know
how they work under Unix, and *this* method *would* work under Unix) put
Apache and all the websites on their own physical drive (under Unix, you
can't hardlink to a file on a separate partition or drive).

  I've been administrating webservers now for oh ... 10 years or so, and
frankly, this is the *first* time this particular issue has come up in my
experience.  And honestly, I don't see what's so bad about seeing the root
of a Windows system [1][2].

  -spc (You can't be 100% secure [3][4] on the Internet ... )

[1]	"/etc/" under Unix?  Maybe a different story, but still, the only
	file I'd be worried about would be "/etc/shadow" and that's usually
	readable only by root, and Apache doesn't serve up files as "root"
	(unless it's one horribly configured system).

[2]	Then again, I admin Unix and don't really use Windows.

[3]	Well, you *can*, but only if you disconnect the machine from the
	Internet, place it in a deep underground bunker, filled with
	concrete, and post guards at the entrance with orders to shoot
	anyone on sight.

[4]	You can do stuff right, and *still* be hacked:	
		http://boston.conman.org/2004/09/19.1


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message