httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Hübner <andre.hueb...@gmx.de>
Subject [users@httpd] Re: Apache Security Problem
Date Mon, 19 May 2008 06:53:18 GMT
Hi,

>>You can do restrictions of particular options using the technique shown 
>>her=
>>e:
>>http://httpd.apache.org/docs/2.2/howto/htaccess.html#how

>>But I have a feeling that there are other ways around your separation.
>>It depends on exactly the details of how you are running your scripts.

>> Joshua.

I only can repeat. The way how to create the symlink is irrelevant. With 
Scriptingtechniques no reading of the files of other user is possible. 
(openbasedir/permission denied etc.) Creating "dead" symlinks is allowed and 
cant be forbidden.
Only Apache has read privileges. example.com/file.txt shows php-source if 
symlink is: ln -s /path/to/otheruser/config.php   file.txt
Symlink could be created by every CGI-Application like php/perl etc.Notice 
that AllowOverride All is activated by default.
It would be useful if SymLinksIfOwnerMatch could be activated separatly and 
not be bypass by user .htaccess in SubFolders.

I changed now apache-source. (2.2.8)  In server/core.c  (1315, 1439) i 
changed function call from OPT_SYM_LINKS  to OPT_SYM_OWNER
So every time when apache hits a symlink it is testet for correct ownermatch 
and could not bypass by the user.  Should be the best in my cast just 
without to deny whole bunch of Options.
Im not a C-Programmer so i would be happy if someone could confirm that my 
changes are not risky etc.

Thanks
Andre 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message