httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neelay Shah <asknee...@yahoo.com>
Subject Re: [users@httpd] Securing Apache configuration
Date Fri, 12 Aug 2005 16:00:02 GMT

I think I am going to go with Bills suggestion, create
a new user, have extremely restricted access for this
user and run the Apache service under the context of
this user...

Thanks guys.

Neelay


--- "William A. Rowe, Jr." <wrowe@rowe-clan.net>
wrote:

> Neelay Shah wrote:
> > Well, there are some programs like "junction"
> > available on sysinternals that supposedly make
> hard
> > link equivalent on windows...and the point is the
> user
> > can create a hard link to c:\ in his user dir. 
> 
> No that's a junction, and Apache2 should treat it as
> a softlink.
> 
> > and it will expose the whole hard drive and that
> is why I am
> > concerned about it...how to stop the web server
> from
> > following ...
> 
> no, there are also 'ln' utilites to create win32
> hardlinks on NTFS.
> You can do it on FAT, but i've always just used the
> disk editor to
> create those manually (they are -not- stable).
> 
> You are better off setting up a user to 'run as',
> change the
> service to 'run as' that user, and set up absolutely
> strict
> permissions.
> 
> I sort of misspoke before; the MFT entry for the
> file on Windows,
> as well as most *nix'es allow you to see how many
> hard links point
> to the given file (e.g. usually 1, the original). 
> You can't tell
> if each is a hard or soft link.  But it would
> theoretically be
> possible to hack apr and apache to deny hard links. 
> That would
> deny the original and second link, of course, so it
> would add
> another vulnerability - making it possible for
> another user to
> 'deny' the existance of the original file.
> 
> Bill
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message