httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Securing Apache configuration
Date Fri, 12 Aug 2005 04:57:56 GMT
Neelay Shah wrote:
> Well, there are some programs like "junction"
> available on sysinternals that supposedly make hard
> link equivalent on windows...and the point is the user
> can create a hard link to c:\ in his user dir. 

No that's a junction, and Apache2 should treat it as a softlink.

> and it will expose the whole hard drive and that is why I am
> concerned about it...how to stop the web server from
> following ...

no, there are also 'ln' utilites to create win32 hardlinks on NTFS.
You can do it on FAT, but i've always just used the disk editor to
create those manually (they are -not- stable).

You are better off setting up a user to 'run as', change the
service to 'run as' that user, and set up absolutely strict
permissions.

I sort of misspoke before; the MFT entry for the file on Windows,
as well as most *nix'es allow you to see how many hard links point
to the given file (e.g. usually 1, the original).  You can't tell
if each is a hard or soft link.  But it would theoretically be
possible to hack apr and apache to deny hard links.  That would
deny the original and second link, of course, so it would add
another vulnerability - making it possible for another user to
'deny' the existance of the original file.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message