Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 77149 invoked from network); 21 Feb 2006 10:10:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 21 Feb 2006 10:10:14 -0000 Received: (qmail 89751 invoked by uid 500); 21 Feb 2006 10:10:03 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 88877 invoked by uid 500); 21 Feb 2006 10:10:00 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 88866 invoked by uid 99); 21 Feb 2006 10:10:00 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Feb 2006 02:10:00 -0800 X-ASF-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [141.15.30.12] (HELO mail02.verwalt-berlin.de) (141.15.30.12) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Feb 2006 02:09:58 -0800 Received: from localhost (localhost [127.0.0.1]) by mail02.verwalt-berlin.de (Postfix) with ESMTP id 5390357013 for ; Tue, 21 Feb 2006 11:09:37 +0100 (CET) Received: from mail02.verwalt-berlin.de ([127.0.0.1]) by localhost (mail02 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03702-08 for ; Tue, 21 Feb 2006 11:09:37 +0100 (CET) Received: from quappe.verwalt-berlin.de (quappe.verwalt-berlin.de [10.0.50.189]) by mail02.verwalt-berlin.de (Postfix) with ESMTP id 40BE957012 for ; Tue, 21 Feb 2006 11:09:37 +0100 (CET) Received: from itdzex001.ITDZ.verwalt-berlin.de (barsch.verwalt-berlin.de [10.0.50.28]) by quappe.verwalt-berlin.de (Postfix) with ESMTP id 3187C56F94 for ; Tue, 21 Feb 2006 11:09:37 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Tue, 21 Feb 2006 11:09:36 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Weird sbitting of htdigest Thread-Index: AcY2z303moCCFl+MRcWlcsUnzF8Y6A== From: To: X-Virus-Scanned: by interscan at verwalt-berlin.de X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Weird sbitting of htdigest X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi, I needed to "protect" a URI of my webserver. Since the Base64 encoding of mod_auth seemed too revealing to me, and on the other hand SSL/TLS too involved I looked for something in between and came accross mod_auth_digest. With mod_auth_digest comes the utility program htdigest to create and maintain a password file with MD5 hashes similar to htpasswd of mod_auth for Base64. When I created my first passwd file with htdigest I was baffled to realize that the htdigest binary from my installation produced a passwd file with suid, sgid and the sticky bit set. Ugh, what the hack is any sbit necessary for a flat password file? e.g. # ls -ld /tmp drwxrwxrwt 6 root root 1024 Feb 21 10:31 /tmp # htdigest -c /tmp/bogus.passwd Rotten\ Vault visitor Adding password for visitor in realm Rotten Vault. New password:=20 Re-type new password:=20 # ls -l /tmp/bogus.passwd=20 -rwsr-sr-t 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd Needless to say that I immediately revoked those bits by # chmod u-sx,g-sx,o-xt /tmp/bogus.passwd=20 # ls -l /tmp/bogus.passwd=20 -rw-r--r-- 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd without breaking the functionality of MD5 Digest authentication at all. root's umask during htdigest invocation was # umask 0022 I consider this in my view redundant sbit setting as a severe security infringement (think of a DMZ webserver for the WWW) I have to admit that I initially installed the Apache from the Fedora Core 3 prebuilt RPMs # rpm -qf $(which htdigest) httpd-2.0.52-3 # uname -srv Linux 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 # cat /etc/redhat-release=20 Fedora Core release 3 (Heidelberg) Now I'm very much inclined to compile any Apache for public servicing from the source tarballs with no dso and only statically compiled in modules. Or did I miss something, and there is a hidden sense behind all this? Regards Ralph --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org