httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Ralph.Gro...@itdz-berlin.de>
Subject [users@httpd] Weird sbitting of htdigest
Date Tue, 21 Feb 2006 10:09:36 GMT
Hi,

I needed to "protect" a URI of my webserver.
Since the Base64 encoding of mod_auth seemed too revealing to me,
and on the other hand SSL/TLS too involved
I looked for something in between and came accross
mod_auth_digest.

With mod_auth_digest comes the utility program htdigest
to create and maintain a password file with MD5 hashes similar to
htpasswd of mod_auth for Base64.

When I created my first passwd file with htdigest I was baffled
to
realize that the htdigest binary from my installation produced
a passwd file with suid, sgid and the sticky bit set.

Ugh, what the hack is any sbit necessary for a flat password
file?

e.g.

# ls -ld /tmp
drwxrwxrwt  6 root root 1024 Feb 21 10:31 /tmp
# htdigest -c /tmp/bogus.passwd Rotten\ Vault visitor
Adding password for visitor in realm Rotten Vault.
New password: 
Re-type new password: 
# ls -l /tmp/bogus.passwd 
-rwsr-sr-t  1 root root 54 Feb 21 10:34 /tmp/bogus.passwd


Needless to say that I immediately revoked those bits by

# chmod u-sx,g-sx,o-xt /tmp/bogus.passwd 
# ls -l /tmp/bogus.passwd 
-rw-r--r--  1 root root 54 Feb 21 10:34 /tmp/bogus.passwd


without breaking the functionality of MD5 Digest authentication
at all.

root's umask during htdigest invocation was

# umask
0022

I consider this in my view redundant sbit setting as a severe
security infringement
(think of a DMZ webserver for the WWW)

I have to admit that I initially installed the Apache from the
Fedora Core 3 prebuilt RPMs

# rpm -qf $(which htdigest)
httpd-2.0.52-3



# uname -srv
Linux 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004
# cat /etc/redhat-release 
Fedora Core release 3 (Heidelberg)


Now I'm very much inclined to compile any Apache for public
servicing
from the source tarballs with no dso and only statically compiled
in modules.

Or did I miss something, and there is a hidden sense behind all
this?

Regards
Ralph

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message